SQL Injection in Progress MOVEit Transfer

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides a working proof-of-concept (POC) exploit for CVE-2023-34362, a critical SQL injection and remote code execution vulnerability in Progress MOVEit Transfer. The main exploit script (CVE-2023-34362.py) is a Python tool that automates the attack chain: 1. It first abuses a SQL injection in the guest access functionality to set arbitrary session variables and ultimately obtain a sysadmin API access token. 2. The exploit then uses this token to perform a deserialization attack during a file upload, resulting in remote code execution (RCE) on the MOVEit Transfer server. 3. The default payload writes a file to C:\Windows\Temp\message.txt, but the exploit can be customized to execute arbitrary commands using ysoserial.net-generated payloads. The repository includes supporting files: a certificate and private key (cert.crt, key.pem, key.pub) for forging JWTs required in the attack, and a provider_file.txt with example IDP metadata. The README.md provides technical background, usage instructions, and mitigation advice. The exploit targets unpatched MOVEit Transfer servers accessible over the network and requires interaction with specific web endpoints (/guestaccess.aspx and /moveitisapi/moveitisapi.dll). The attack vector is network-based, and the exploit is operational, providing a full attack chain from initial access to RCE.

This repository contains a Ruby exploit script (CVE-2023-34362.rb) targeting the MOVEit Transfer application, exploiting CVE-2023-34362. The exploit achieves unauthenticated remote code execution (RCE) by chaining a SQL injection vulnerability with unsafe deserialization. The script performs the following steps: establishes a session, leverages SQL injection to plant a serialized .NET gadget (configured to spawn 'notepad.exe') in the database, and then triggers deserialization via a crafted API call, resulting in code execution on the server. The exploit also includes cleanup steps to remove indicators of compromise from the database. The main endpoints targeted are '/moveitisapi/moveitisapi.dll', '/guestaccess.aspx', and '/api/v1/folders/<folder_id>/files'. The repository consists of the exploit script and a detailed README explaining usage and exploitation flow. The exploit is operational, with a hardcoded payload, and is not part of a larger framework.